hockeypuck

Rigorous RFC4880 validation with SKS compatibility

Bug #1224801 reported by Casey Marshall on 2013-09-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	hockeypuck	Fix Committed	Medium	Casey Marshall	hockeypuck 1.0-rc1

Bug Description

SKS doesn't validate signatures against the signing public key, nor does it prevent non-exportable certifications from being distributed.

Hockeypuck should subject key material submitted through the HKP API to this rigorous level of validation, and filter out key material that does not meet RFC4880 specifications.

However, if Hockeypuck is to peer with SKS, it will need to store key material exactly as SKS distributes it, and be able to calculate the same digest of given key material as SKS. Hockeypuck can flag such packets as recon-only for calculating the digest and when responding to /pks/hashquery from peers using the STATE column. This invalid material will be filtered out of /pks/lookup requests from HKP clients.

Reference:
http://<email address hidden>/msg03577.html

See original description

Casey Marshall (cmars) on 2013-09-13

description:

updated

Revision history for this message

Casey Marshall (cmars) wrote on 2013-09-23:

SKS compatibility is working. Need to add validation test coverage.

Changed in hockeypuck:
status:	Confirmed → In Progress

Casey Marshall (cmars) on 2014-01-04

Changed in hockeypuck:
status:	In Progress → Fix Committed
assignee:	nobody → Casey Marshall (cmars)
milestone:	none → 1.0-rc1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.