|
From: | Jonathan McCune |
Subject: | Re: RFC: should the 'trust' and 'verify_detached' commands respect 'check_signatures=enforce'? |
Date: | Mon, 21 Oct 2013 10:44:45 -0700 |
On 18.10.2013 04:44, Andrey Borzenkov wrote:I didn't oppose to a command or options having the described
> В Thu, 17 Oct 2013 23:44:05 +0200
> Vladimir 'φ-coder/phcoder' Serbinenko <address@hidden> пишет:
>
>> On 17.10.2013 20:28, Jonathan McCune wrote:
>>> Presently the 'trust' and 'verify_detached' commands disable all filters
>>> (e.g., verify.c:grub_cmd_trust() calls grub_file_filter_disable_all())
>>> when opening a file containing a public key (note the distinction from
>>> verify_detached implicitly using an already-loaded key).
>>
>> This is the intended behaviour. Usecase to manually add keys when
>> needed. Your proposal is for other usecases which would probably require
>> special arguments or separate functions.
>>
>
> This has the same MITM problem we already discussed and that was fixed
> if pubkey filter is used - you cannot actually know that key you trust
> is the same as key you verified. So I think that at least by default
> "trust" should not disable pubkey filter.
>
> verify_detached probably should, but may be only for file that is
> verified itself, bit for pubkey.
>
functionality. Thinking about it, I have to agree that default behaviour
should be paranoid with options to relax it. Would you or Jonathan
prepare a patch to change the behaviour with an option to restore
current behaviour?
[Prev in Thread] | Current Thread | [Next in Thread] |