I found that mix when sending keys (in replay to
remailer-key) instead of simply getting public keys
from pubring, reads secret keys from secring and
converts them to public keys and signs public keys
I think it is really bad!
Ok, maybe it acceptable for RSA keys, because signature
is the same each time, but not for DSS keys. for DSS
keys signature each time is different (because random
number is used when signing). So if one retrieves
remailers public key several times and imports into
keyring he gets key with multiple self signatures.
I think mix should be changed so that it gets public
keys from pubring.
this bug is found in 2.9beta31 but not in previous
ok, I think I found the problem:
in latest version(s) in pgpkey.txt RSA and DSS keys is
stored separately. probably pgpdb_getkey() finds only
first one. and then if the key is not found it takes it
from secring, converts to pubkey and signs.
Log in to post a comment.