[rt-users] GnuPG key management issues

Christopher Kunz chrislist at de-punkt.de
Fri Oct 9 05:34:21 EDT 2015


Hi,

> I believe the 4.2/skip-asc-keys branch[1] addresses this particular
> issue, of interpreting .asc as encrypted data.  I'm sure that BPS
> would appreciate the feedback if it resolves the issue for you.

Thanks for the pointer! I think it does solve the painful part of the
issue, indeed. I manually patched our 4.2.8 installation and now the
.asc attachments still cause a warning in the log, but no other
undesired effects.

> The security implications of such a flag almost certainly preclude its
> inclusion in core RT -- though you understand the security
> implications, many sites might not, and might enable it regardless of
> any warnings placed on it.  Operating in such configurations is far
> worse than operating without GPG at all.

I agree. I'd like to point out, though, that a veiled hint at the
"always trust" option is already in the doc for RT::Crypt::GnuPG. Quote:
"Encrypting to untrusted keys

Due to limitations of GnuPG, it's impossible to encrypt to an untrusted
key, unless 'always trust' mode is enabled."

Maybe there should be a notice after that sentence to the effect of
"this is in most cases a very bad idea".

> If you wish to implement this yourself, there are a couple options for
> where to implement the behavior.  The first two of them will require
> that the web user have write access to the keyring.
> 
I'm not a Perl guy, so developing our own solution is not in scope at
the moment. In addition, I really don't think it does solve the actual
issue, which is that GMX is spewing out potentially hundreds of
thousands of unverifiable OpenPGP keys. It would be FAR better if they
(semi-automatically) uploaded them to a keyserver and maybe added some
trust level via their own management keys. After all, the owners of
gmx.net can certify that a key belongs to randommember at gmx.net and
therefore authenticate that relation. Anyway, I'm sure since there
actually are a lot of very smart people working there, they will roll
out some of that eventually.

> If this is central to your workflow, you may wish to consider
> contacting sales at bestpractical.com to see if they can help you
> implement one of the above solutions.

I might just do that, after asking my customer if he'll pay for it.
First, however, I will try to educate them on the advantages of using
keyservers.

Thanks for your help, my biggest pain is solved! :)

Best regards,

--ck




More information about the rt-users mailing list