Re: [Sks-devel] nokeyserver annotation

2016-12-20 Thread Kristian Fiskerstrand
On 12/20/2016 07:58 PM, Vincent Breitmoser wrote: >> If you can trick a user into importing a package that hinders >> distribution of the keyblock > > This should be prevented by client implementations, why would they ever > import a non-verifying self-cert? An invalid notation might not be

Re: [Sks-devel] nokeyserver annotation

2016-12-20 Thread Vincent Breitmoser
> If you can trick a user into importing a package that hinders > distribution of the keyblock This should be prevented by client implementations, why would they ever import a non-verifying self-cert? > believes it gets uploaded to keyserver with the modified packet but at > that point it is

Re: [Sks-devel] nokeyserver annotation

2016-12-20 Thread Kristian Fiskerstrand
On 12/20/2016 07:41 PM, Daniel Kahn Gillmor wrote: > scenario (a) doesn't matter -- the keyservers simply won't propagate > that modified cert, which is fine, because it's not actually Alice's > self-sig anyway. How wouldn't this matter? If you can trick a user into importing a package that

Re: [Sks-devel] nokeyserver annotation

2016-12-20 Thread Daniel Kahn Gillmor
On Tue 2016-12-20 12:24:56 -0500, Kim Minh Kaplan wrote: > - to do this keyservers will have to actually do cryptography I think i disagree here. The keyservers currently don't validate anything, and i don't see how this proposal would change things. The two "attack" scenarios i can imagine

Re: [Sks-devel] nokeyserver annotation

2016-12-20 Thread Vincent Breitmoser
Kristian Fiskerstrand(kristian.fiskerstr...@sumptuouscapital.com)@Tue, Dec 20, 2016 at 07:31:35PM +0100: > On 12/20/2016 07:29 PM, Vincent Breitmoser wrote: > >> Without verifying the signature this opens up for a DoS on users > >> expecting to distribute the keys, e.g in case of a revocation

Re: [Sks-devel] nokeyserver annotation

2016-12-20 Thread Vincent Breitmoser
> Without verifying the signature this opens up for a DoS on users > expecting to distribute the keys, e.g in case of a revocation certificate. I'm not sure how, could you quickly describe the scenario you have in mind? - V ___ Sks-devel mailing list

Re: [Sks-devel] nokeyserver annotation

2016-12-20 Thread Christoph Egger
Vincent Breitmoser writes: >> - to do this keyservers will have to actually do cryptography > > Are you sure? I don't think there's any attack scenario here: If any > such signature exists, you can't upload the key. You can strip that signature. If you only consider

Re: [Sks-devel] nokeyserver annotation

2016-12-20 Thread Vincent Breitmoser
> Assuming the intention is tagging my key (which hasn't been published so > far) so it doesn't end up on the keyserver. In that case *all* self-sigs > would need to carry the notation as otherwise an intruder could just > remove the newest nokeyserver selfsig and still have a valid key (iff > all

Re: [Sks-devel] nokeyserver annotation

2016-12-20 Thread Kim Minh Kaplan
Daniel Kahn Gillmor wrote: > i've been trying to make it possible for key to state that > it should be excluded from some keyservers, but those attempts to fix > things have failed thus far due to filter synchronization issues: > > >

[Sks-devel] Server temporarily offline: keys.drup.no

2016-12-20 Thread Audun Larsen
Hello, My key-server keys.drup.no is temporarily offline because of an power outage. I hope it will be back online tomorrow. Best regards, Audun Larsen signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list