Idea: Add a way to use pgp/gpg keyid in control.ctl
inn at tracker.fire-world.de
Tue Apr 19 23:38:14 UTC 2005
Today I discovered a glitch with pgpverify. The control key for the
at.* hierarchie has the uid:
pub 1024R/AE548CCD 1997-04-10 austrian usenet coordinator <control at usenet.backbone.at>
which, when parsed with pgpverify, will return different uids after
When using pgp, pgpverify returns control at usenet.backbone.at as uid.
When using gpg, pgpverify return austrian as uid.
Because of this, the default control.ctl wouldn't recognize a valid
at.* control when checked with gpg.
This led to another thought: If someone made a key with the same uid
as a key in the control.ctl file and uploads that key to the
keyservers, it could be possible that some users download the wrong
key from the keyserver when they search for the uid, and in the worst
case could automatically execute faked controls.
A much more robust solution would be:
Make it possible to specify a keyid in the control.ctl, perhaps
rmgroup:control at usenet.backbone.at:at.*:pgpkey-AE548CCD=mail
This would make it much easier to parse the gpg output and also
would make it harder to fake a control key. In addition this will not
break when keys have non-standard uids or multiple uids.
 I don't know the format of the pgp output right now, I hope that
there is a keyid somewhere in the output?
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
Wehret den Anfaengen: http://odem.org/informationsfreiheit/
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
More information about the inn-workers