Idea: Add a way to use pgp/gpg keyid in control.ctl

Sebastian Wiesinger inn at tracker.fire-world.de
Tue Apr 19 23:38:14 UTC 2005


Today I discovered a glitch with pgpverify. The control key for the
at.* hierarchie has the uid:

pub  1024R/AE548CCD 1997-04-10 austrian usenet coordinator <control at usenet.backbone.at>

which, when parsed with pgpverify, will return different uids after
parsing:

When using pgp, pgpverify returns control at usenet.backbone.at as uid.

When using gpg, pgpverify return austrian as uid.

Because of this, the default control.ctl wouldn't recognize a valid
at.* control when checked with gpg.

This led to another thought: If someone made a key with the same uid
as a key in the control.ctl file and uploads that key to the
keyservers, it could be possible that some users download the wrong
key from the keyserver when they search for the uid, and in the worst
case could automatically execute faked controls.

A much more robust solution would be:

Make it possible to specify a keyid in the control.ctl, perhaps
something like:

rmgroup:control at usenet.backbone.at:at.*:pgpkey-AE548CCD=mail

This would make it much easier to parse the gpg output[1] and also
would make it harder to fake a control key. In addition this will not
break when keys have non-standard uids or multiple uids.


Comments, Suggestions?

Regards,

Sebastian

[1] I don't know the format of the pgp output right now, I hope that
there is a keyid somewhere in the output?
-- 
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
Wehret den Anfaengen: http://odem.org/informationsfreiheit/
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant


More information about the inn-workers mailing list