> 4. This actually parses the packet as well and this is where things get
> a little more complicated: what's an acceptable response from a
> keyserver? This is another thing that's delegated to GnuPG right
> now, but it would be interesting to formalize this and (self-?)
> authenticate the key material. Or can we delegate *just* that bit to
> GnuPG?
I guess this whole re-implementation feasibility question can be
summarized as such:
Is `gpg --import` safe to run against untrusted data? If not, how
does it differ from `gpg --recv-keys`?
A.
--
They say that time changes things, but you actually have to change
them yourself. - Andy Warhol
