On 8/14/2014 2:23 PM, Kristian Fiskerstrand wrote: > On 08/14/2014 02:12 PM, Christoph Egger wrote: >> "Kiss Gabor (Bitman)" <ki...@ssg.ki.iif.hu> writes: >>>> - mitm attacks may manipulate up-/downloaded keys >>> >>> no >>> >>> Every uploaded key can be manipulated legally by anyone. (I.e. >>> you attach a new signature to your friend's key and you send back >>> to the key servers.) Moreover anybody can send a totally new key >>> in the name of you. Public key server is like Wikipedia or a >>> piece of paper. And everybody has a pencil. :-) > >> You can still block certain pakets from up/downloads (i.e. not >> providing signature pakets for some key -- kind of a DoS when >> checking a trust path) > > Or even more importantly, providing a public key where a revocation > signature has been removed.
Is this possible? My (albeit limited) understanding is that SKS is an append-only system, and that it is not possible to remove key packets that are already on the servers. Wouldn't a bad guy: a. Need the private key to edit self-signed elements, like revocation signatures? b. Be unable to remove the revocation signature, as SKS servers are append-only? Cheers! -Pete
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel