GNU bug report logs - #25429
24.5; mml-secure-message-encrypt-pgpmime warns about some User IDs with unknown validity but not about others

Previous Next

Full log

Message #10 received at 25429 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Daniel Kahn Gillmor <dkg <at> fifthhorseman.net>
Cc: 25429 <at> debbugs.gnu.org
Subject: Re: bug#25429: 24.5; mml-secure-message-encrypt-pgpmime warns about
 some User IDs with unknown validity but not about others
Date: Mon, 23 Sep 2019 01:43:08 +0200

Daniel Kahn Gillmor <dkg <at> fifthhorseman.net> writes:

> This is a security bug in Emacs' mml mode when composing encrypted
> mail.  The flaw allows an attacker to potentially trigger selection of
> the wrong key, and to evade a warning from gpg.
>
> Here's the situation:
>
> I'm composing a mesage in emacs in mml-mode (using notmuch, fwiw, though
> i don't think that matters here), and i want to send it encrypted.
>
> I use mml-secure-message-encrypt-pgpmime (via C-c RET c p) to encrypt
> the message.
>
> I have two friends, Alice and Bob, who have OpenPGP certificates that
> look like this:

[...]

> pub   rsa4096 2016-08-16 [SC]
>       F3CCEF926FE16622B7050F0804AEEB8BE699F289
> uid           [ unknown] Bob <bob <at> example.net>
> sub   rsa4096 2016-08-16 [E]

[...]

> When the mail is addressed only to bob <at> example.net, i get this warning
> when sending; if i answer "n" then the message doesn't go out:
>
>     Untrusted key 04AEEB8BE699F289 Bob <bob <at> example.net>. Use anyway? (y or n)

I'm trying to triage this bug, but I just tried this in Emacs 27 with a
key that's listed as [unknown], and I do not get this warning.  Is there
some additional setting necessary to get the warning?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.