Rigorous RFC4880 validation with SKS compatibility
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
hockeypuck |
Fix Committed
|
Medium
|
Casey Marshall |
Bug Description
SKS doesn't validate signatures against the signing public key, nor does it prevent non-exportable certifications from being distributed.
Hockeypuck should subject key material submitted through the HKP API to this rigorous level of validation, and filter out key material that does not meet RFC4880 specifications.
However, if Hockeypuck is to peer with SKS, it will need to store key material exactly as SKS distributes it, and be able to calculate the same digest of given key material as SKS. Hockeypuck can flag such packets as recon-only for calculating the digest and when responding to /pks/hashquery from peers using the STATE column. This invalid material will be filtered out of /pks/lookup requests from HKP clients.
Reference:
http://<email address hidden>
description: | updated |
Changed in hockeypuck: | |
status: | In Progress → Fix Committed |
assignee: | nobody → Casey Marshall (cmars) |
milestone: | none → 1.0-rc1 |
SKS compatibility is working. Need to add validation test coverage.