@alice I'm just being silly, but there is a vulnerability in an OpenPGP software that allows poisoing certificates on key servers. gist.github.com/rjhansen/67ab9

In the link above, one of the causes given to the flaw is that the software is written in an “obscure” language called OCaml, and several tech news websites have relayed this statement as-is ^^

@otini I don't really like the point where:
1) the "bug" (which is more a design choice than a bug) was discovered 10 years before
2) The bug is not on the server (which is implemented in OCaml) but at the reception of poisoned certificates by the client - and, in this case, by GnuPG (implemented in C)

In fact, the point is the client is not able to handle such poisoned keys (news.ycombinator.com/item?id=2).

The FUD about the server or the language is a bullshit where the problem is somewhere else.

@dinosaure Wow then the whole post about the server is completely irrelevant…

@otini @dinosaure well, a "fix" is to have servers which only accept fewer certificates (and/or validate them being good -- but then an attacker can properly sign any public key, and this will pass the check). but then your client still has to deal with misbehaving servers --> the fix is not easy, and IMHO key servers are bad (since they expose timestamps and the social network) anyways. so why not just switch them off and try another way of exchanging public keys!?

@hannesm @otini @dinosaure I remember there were also discussions about other issues with the keyservers, e.g. never-expiring dead keys, which had to be kept or.

Sign in to participate in the conversation
Functional Café

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!