Re: [Sks-devel] unwanted tolerance of buggy keys

[Kristian Fiskerstrand]

On 2012-07-30 21:20, Clint Adams wrote:
> This key
> 
> http://zimmerman.mayfirst.org:11371/pks/lookup?op=get&search=0xED34CEABE27BAABC
> 
> is buggy.  It contains a generic certification packet on the first subkey
> and a positive certification packet on the second subkey.
> 
> From a quick glance at the SKS source code, it looks as though the signature
> type is not being checked.
> 
> If I read RFC4480 section 11.1 correctly, the only signature types valid on
> a subkey should be 0x19 and 0x28.
> 
> Could you please implement this restriction in SKS?
> 

I'm testing out a patch[0] at [1] . Could you please confirm that this
is to your expectation?

Note that this is implemented in the cleaning layer for vindex and get,
and not on the data store, so the original data is available at [2] (and
respective clean=off for get)

[0]
https://bitbucket.org/kristianf/sks-keyserver/changeset/b436e48dd8e08c247b841c5460786655d3e148bf

[1]
http://keys2.kfwebs.net:11371/pks/lookup?op=vindex&search=0xED34CEABE27BAABC

[2]
http://keys2.kfwebs.net:11371/pks/lookup?op=vindex&clean=off&search=0xED34CEABE27BAABC
-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is now
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/

signature.asc
Description: OpenPGP digital signature