Hi, I'm currently having a closer look at the way pgp keyservers work (details will be published at some point soon).
As it seems currently sks is the de-facto-default keyserver I thought posting this here makes sense. From my understanding the core principle of the pgp keyservers is that they have an "add only"-policy, meaning you can never remove something, just add further information to it (e.g. keys don't get removed, they expire or are revoked). This opens up a couple of problems and I wonder if they have been discussed before and if there are any counterstrategies to them. a) Someone could just flood the keyservers with random bogus keys. This would basically fill up the hard drives of the keyservers. b) Someone could grow a target's key by adding more and more signatures. This would quickly make downloading the key from the keyservers infeasible. c) Someone could use keys, keyids, signatures or whatever to store illegal data. (Basically this very same issue has already been discussed in the context of bitcoin [1]) I don't really see any feasible counterstrategies to these issues. Given the speed one can generate and upload material to key servers (keys don't have to be valid to be accepted) I think all three scenarios could easily happen. I'm curious what the thoughts of the people running keyservers are. [1] https://www.reddit.com/r/Bitcoin/comments/1akyy4/what_happens_if_someone_inserts_illegal_content/ cu, -- Hanno Böck http://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
signature.asc
Description: PGP signature
_______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
