On Tue 13/Aug/2019 12:08:31 +0200 Werner Koch Via Gnupg-users wrote:
> On Tue, 13 Aug 2019 09:54, gnupg-users@gnupg.org said:
>> The bug, however, is in the program that chokes on poisoned keys!
> Nope.  This is a long standing DoS protection by limiting the total
> length of a keyblock.  The diagnostics were a bit misleading, though.
> The time it took to process all these signatures during importing is due
> to a fix and out of order keyblock functions which has been enabled by
> default in 2.1.  It should be obvious that checking several thousands of
> signatures and finding the matching user-id takes its time.
> Anyway, given that these keys are real the approach with 2.2.17 is to
> auto-retry an import with import-clean etc. if the keyblock size hits
> the size limit.  For keyserver imports import-clean is also the default.

Why wasn't that check in place from version 0.0.0?  Perhaps GnuPG was
coded at times when DoS was an operating system?

Of course, anonymous key poisoning is a kind of gratuitous vandalism.
 Yet, crypto is supposed to work in a hostile environment.


Attachment: signature.asc
Description: OpenPGP digital signature

Gnupg-users mailing list

Reply via email to