[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] heads-up: another attack tool, using SKS as FS

From: Robert J. Hansen
Subject: Re: [Sks-devel] heads-up: another attack tool, using SKS as FS
Date: Fri, 13 Jul 2018 23:37:21 -0400
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.0

> IMHO Photo-ID should be dropped entirely, I see no point and its just
> ripe for abuse like this..

Unfortunately, we really can't.  They've been part of OpenPGP
certificates for just about twenty years now.  They are an expected part
of the certificate.  Users already scream bloody murder about GnuPG and
Enigmail dropping support for SE packets and those have been deprecated
since 2003.  The idea of just waving a wand and getting rid of a
non-deprecated part of a public key is just ... no.

Is it technically possible?  Yes.  But it would require a significant
amount of redesign: we'd have to parse out the key, recognize images,
drop them, etc.  Right now SKS does *zero* cryptographic verification of
the key data; we'd need to change SKS to introduce at least some crypto

Is it possible without facing a user revolt?  No.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]