Debian Bug report logs - #800134
wotsap: should handle 64-bit key IDs gracefully

version graph

Package: wotsap; Maintainer for wotsap is Giovanni Mascellani <gio@debian.org>; Source for wotsap is src:wotsap (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Sun, 27 Sep 2015 09:27:02 UTC

Severity: important

Tags: security

Found in version wotsap/0.7-4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Giovanni Mascellani <gio@debian.org>:
Bug#800134; Package wotsap. (Sun, 27 Sep 2015 09:27:06 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wotsap: should handle 64-bit key IDs gracefully
Date: Sun, 27 Sep 2015 11:23:34 +0200
Package: wotsap
Version: 0.7-4
Usertags: serious

$ wotsap 2D4EB3A6015475F5 79BE3E4300411886
Key not found: "2D4EB3A6015475F5"

Apparently that's because wotsap expects 32-bit key IDs. But the error 
message is not helpful, and the manual page doesn't document this 
requirement either.

And of course, ideally, wotsap should just just accept 64-bit key IDs.

-- 
Jakub Wilk

Information forwarded to debian-bugs-dist@lists.debian.org, Giovanni Mascellani <gio@debian.org>:
Bug#800134; Package wotsap. (Sat, 29 Apr 2017 14:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Joey Hess <id@joeyh.name>:
Extra info received and forwarded to list. Copy sent to Giovanni Mascellani <gio@debian.org>. (Sat, 29 Apr 2017 14:21:03 GMT) (full text, mbox, link).

Message #8 received at 800134@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <id@joeyh.name>
To: 800134@bugs.debian.org
Subject: +1
Date: Sat, 29 Apr 2017 10:17:47 -0400
[Message part 1 (text/plain, inline)]
This makes wotsap not secure enough for use by the program I had wanted
to use it. Short key ids are too easily spoofed to be useful.

IMHO, wotsap should support full length key fingerprints, I don't want
to use any form of truncated ids when finding trust paths.

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Giovanni Mascellani <gio@debian.org>:
Bug#800134; Package wotsap. (Sat, 29 Apr 2017 14:39:02 GMT) (full text, mbox, link).

Acknowledgement sent to Joey Hess <id@joeyh.name>:
Extra info received and forwarded to list. Copy sent to Giovanni Mascellani <gio@debian.org>. (Sat, 29 Apr 2017 14:39:02 GMT) (full text, mbox, link).

Message #13 received at 800134@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <id@joeyh.name>
To: 800134@bugs.debian.org
Subject: new version
Date: Sat, 29 Apr 2017 10:36:42 -0400
[Message part 1 (text/plain, inline)]
Turns out wotsap 0.3 file format supports 16 length ids. 
http://pgp.cs.uu.nl/archive/wot-0.3/latest.wot
The version of wotsap in debian does not support that format.

I feel that this is a security problem; the current wotsap provides a
false sense of security to any users given that the whole strong set has
been cloned at length 8.

It seems that the python implementation of wotsap does not support that
format, but there's a perl version that does, here:
http://pgp.cs.uu.nl/wotsap/

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Sun, 30 Apr 2017 07:30:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#800134; Package wotsap. (Sun, 30 Apr 2017 08:51:02 GMT) (full text, mbox, link).

Acknowledgement sent to Giovanni Mascellani <gio@debian.org>:
Extra info received and forwarded to list. (Sun, 30 Apr 2017 08:51:02 GMT) (full text, mbox, link).

Message #20 received at 800134@bugs.debian.org (full text, mbox, reply):

From: Giovanni Mascellani <gio@debian.org>
To: Joey Hess <id@joeyh.name>, 800134@bugs.debian.org
Subject: Re: Bug#800134: +1
Date: Sun, 30 Apr 2017 10:46:26 +0200
[Message part 1 (text/plain, inline)]
Hi,

Il 29/04/2017 16:17, Joey Hess ha scritto:
> IMHO, wotsap should support full length key fingerprints, I don't want
> to use any form of truncated ids when finding trust paths.

I fully agree. Unfortunately at the moment wotsap is not really
maintained by anyone. I tried to do something here:

  https://github.com/giomasce/wotsap

But then ran out of time again. There is also some discussion here:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700309

I will try to put everything together as soon as I have some time.
Contributions are, of course, welcome.

Gio.
-- 
Giovanni Mascellani <g.mascellani@gmail.com>
PhD Student - Scuola Normale Superiore, Pisa, Italy

http://poisson.phc.unipi.it/~mascellani


[signature.asc (application/pgp-signature, attachment)]

Severity set to 'important' from 'normal' Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org. (Sun, 30 Apr 2017 10:45:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Aug 14 21:33:10 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.