Mirrors
/
open-keychain
mirror of https://github.com/open-keychain/open-keychain.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated cure53 Security Audit 2015 (markdown)

Dominik Schürmann 2016-12-06 10:48:41 +01:00
parent 289f94843f
commit d441be0d9b
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cure53-Security-Audit-2015.md

@ -17,7 +17,7 @@ FIXED IN
### OKC-01-006 Keyserver can send arbitrary Public Keys without Verification (Low)
A comparison of user ids is difficult to implement as keyservers could, in some circumstances, return User IDs with a broken encoding. We would also need to check for revocation status, key size etc. which introduces much code complexity. Downloading all search results and parsing them locally before prompting the user which key(s) he wants would result in too much network traffic. Keys are several to many kilobytes in size, e.g., 66kb.
WONTFIX FOR NOW
FIXED in 4.2: Before importing keys from keyservers, they are downloaded fully, verified, and displayed to the user.
### OKC-01-009 Bypassable Fingerprint-Check for Key Exchange via QR Code (High)
The fingerprint check is now performed after canonicalization and the method has been changed to check primary and mutually bound keys only.