Page MenuHome GnuPG
Feed Advanced Search

Mar 31 2022

wiktor-k added a comment to T5813: Locating Keys via WKD with gpg4win fails with unknown error..

I still think that redirecting to another catch-all domain is contrary to the original goal and weakens the security model. We need to see what we can do about this.

Mar 31 2022, 8:27 AM · wkd, gpg4win, Bug Report

Jun 25 2021

wiktor-k updated wiktor-k.
Jun 25 2021, 8:13 AM

Jan 5 2021

wiktor-k added a comment to T4694: manage first-party attestations.

For the context of all subscribed parties I think Werner refers to what Hockeypuck is doing: https://lists.gnupg.org/pipermail/gnupg-users/2020-December/064441.html

Jan 5 2021, 10:45 AM · Keyserver, Feature Request

Mar 10 2020

wiktor-k added a comment to T4856: GPG: Key Exchange Put public OpenPGP key into signature.

This is a nice idea and although it overlaps with Autocrypt it has other uses too: for example verification of signed files that can be vastly simplified (just get the file and the signature, no key fetching needed, downside: the key attached to the signature could be stale).

Mar 10 2020, 10:04 AM · Feature Request, gpgol, Keyserver, gnupg

Aug 12 2019

wiktor-k added a comment to T4108: Support for verifying OpenPGP standalone and timestamp signatures.

Sounds interesting @stm! Are there technical documents or specifications I could read to dig into details?

Aug 12 2019, 10:18 AM · gnupg24, gnupg (gpg23), Feature Request

Aug 6 2019

wiktor-k added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

DNSSEC is a centralized CA system. Just different than the TLS one. Given that Certificate Transparency exists I'd say DNSSEC is less transparent than TLS. For example if you happen to have a .ly domain then the Libyan can silently control your signed zone. Given that there is no CT for DNSSEC they can do so selectively, for any connection they want. It wouldn't be the first problem with them.

Aug 6 2019, 1:56 PM · dns, dirmngr

Jul 11 2019

wiktor-k added a comment to T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures.

Is this really necessary to duplicate functionality that already is provided by Web Key Directory?

Jul 11 2019, 12:25 PM · dns, dirmngr

Jul 3 2019

wiktor-k added a comment to T4108: Support for verifying OpenPGP standalone and timestamp signatures.

I'm also interested in fine details especially w.r.t. interfacing with GnuPG. I've seen multiple timestamping standards starting from RFC3161, to blockchains or secure time protocols even (ab)using Certificate Transparency logs and ideas on how to append the signature (timestamp flag vs unhashed notations) so I'll be eager to hear the details on the ML @stm!

Jul 3 2019, 10:31 PM · gnupg24, gnupg (gpg23), Feature Request
wiktor-k added a comment to T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver.

@dkg I believe @aheinecke gave the GpgOL description just as an example of why WKD-first retrieval would be beneficial (for details of that see https://wiki.gnupg.org/AutomatedEncryption#Trust_Levels) and I believe this ticket is a follow-up to my question on gnupg-devel ML: https://lists.gnupg.org/pipermail/gnupg-devel/2019-June/034372.html

Jul 3 2019, 7:26 PM · gnupg (gpg22), wkd

Jun 26 2019

wiktor-k added a comment to T4584: --quick-sign-key offers no way to override a current certification.

For the record in my original message I asked about adding self-signatures.

Jun 26 2019, 11:12 AM · Restricted Project, gnupg (gpg22), Feature Request

Nov 14 2018

wiktor-k added a comment to T4254: broken link to gpgrelay in website.

"Miranda ICQ [Unix] CHAT" also doesn't work. Maybe it would be a good idea to check all of them via script or something like that...

Nov 14 2018, 7:19 PM · Bug Report

Aug 29 2018

wiktor-k added a comment to T4060: Add ability to mark critical notations as "recognized" during signature verification.

Thank you!

Aug 29 2018, 9:50 AM · gnupg (gpg22), Feature Request

Jul 8 2018

wiktor-k added a comment to T4060: Add ability to mark critical notations as "recognized" during signature verification.

Agreed, after the verification succeeds the caller can (and probably will) check the signature notations.

Jul 8 2018, 9:49 PM · gnupg (gpg22), Feature Request

Jul 7 2018

wiktor-k created T4060: Add ability to mark critical notations as "recognized" during signature verification.
Jul 7 2018, 10:43 PM · gnupg (gpg22), Feature Request

Jul 2 2018

wiktor-k added a comment to T3910: Kleopatra: Direct way to WKD Lookup a key.

Ha, I wish e-mail-like searches would be done using only WKD with no fallbacks to keyservers... that way keys would be "more verified"... but I understand it may be not practical :)

Jul 2 2018, 11:39 AM · Restricted Project, kleopatra

Nov 8 2017

wiktor-k added a comment to T2923: trust signature domain restrictions don't work.

For what is worth I think sanitize_regexp was programmed while reading 4880 because the RFC allows backslash + any character (section 8: Regular Expressions):

Nov 8 2017, 8:15 AM · gnupg (gpg14), Bug Report

Nov 7 2017

wiktor-k added a comment to T2923: trust signature domain restrictions don't work.

For the reference sanitize_regexp was introduced in this commit from 2007 to "Protect against malloc bombs.": and I see no changes to it (except typo correction) in git blame in trustdb.c.

Nov 7 2017, 9:30 PM · gnupg (gpg14), Bug Report