IMHO Photo-ID should be dropped entirely, I see no point and its just ripe for
abuse like this.. We should not be relying on that w/cryptography.. If I’m
going to sign your key and validate I know you then I should be validating your
the holder of that private key with an exchange first (much like I am proposing
with adding your key to SKS network).. then really what does it matter what
image is stored with the public key after that since the private key holder
could manipulate that. Honestly it was eons ago when I last went to a key
signing, but the few I did go to back in my College days never required a photo
in the public key.
-Ryan
> On Jul 13, 2018, at 9:01 PM, Tom at FlowCrypt <t...@flowcrypt.com> wrote:
>
> > that would probably be an incomplete mitigation:
>
> Sounds better than no solution!
>
> > -people can use the photo id field instead
>
> Size limit can be enforced.
>
> > -people can use valid e-mail addresses under an own domain ("catch-all")
>
> As long as it can validate, seems fine to me. Better than no verification.
>
> > -your keyserver suddenly can be abused for email spamming
>
> Any online service that allows registrations can be abused for email
> spamming, if you consider registration emails an "email spam".
>
> --------
>
> Another limitation: you cannot apply the email verification process to the
> recon algo, because the user would get flooded with verification emails. That
> means you could have a malicious SKS implementation flooding others with
> non-verified emails. Again, not perfect, but a good start.
>
>
>
> On Sat, Jul 14, 2018 at 2:50 AM, Tobias Frei <tob...@freiwuppertal.de
> <mailto:tob...@freiwuppertal.de>> wrote:
> Hi Ryan,
>
> that would probably be an incomplete mitigation:
>
> -people can use the photo id field instead
> -people can use valid e-mail addresses under an own domain ("catch-all")
> -your keyserver suddenly can be abused for email spamming
>
> Best regards
> Tobias Frei
>
>
>
> Am 14.07.2018 um 02:57 schrieb Ryan Hunt:
> Could this be mitigated by validating email addresses as they come in? Like
> sending an encrypted mail to the said address with a return token, If the
> token is not provided the key is never put into the SKS rotation?
>
> I think a solution like this would be much more effective, and if there was
> some desire to conform to GDPR at some point it would be pretty much required
> first step because I cannot see how we could possibly remove keys without a
> command signed by that key, and putting this in place would make that ‘no
> more difficult to remove than it was to add’..
>
> Regards,
> -Ryan Hunt
>
> On Jul 13, 2018, at 11:20 AM, Phil Pennock <sks-devel-p...@spodhuis.org
> <mailto:sks-devel-p...@spodhuis.org>> wrote:
>
> Signed PGP part
> Heads-up:
>
> https://medium.com/@mdrahony/are-pgp-key-servers-breaking-the-law-under-the-gdpr-a81ddd709d3e
>
> <https://medium.com/@mdrahony/are-pgp-key-servers-breaking-the-law-under-the-gdpr-a81ddd709d3e>
> https://github.com/yakamok/keyserver-fs
> <https://github.com/yakamok/keyserver-fs>
> https://lobste.rs/s/sle0o4/are_pgp_key_servers_breaking_law_under
> <https://lobste.rs/s/sle0o4/are_pgp_key_servers_breaking_law_under>
>
> This `keyserver-fs` is software to attack SKS, using it as a filesystem, in
> what appears to be a deliberate attack on the viability of continuing to
> run a keyserver.
>
> The author is upset that there's no deletion, so is pissing in the pool.
>
> -Phil
>
>
>
>
> _______________________________________________
> Sks-devel mailing list
> Sks-devel@nongnu.org <mailto:Sks-devel@nongnu.org>
> https://lists.nongnu.org/mailman/listinfo/sks-devel
> <https://lists.nongnu.org/mailman/listinfo/sks-devel>
>
>
> _______________________________________________
> Sks-devel mailing list
> Sks-devel@nongnu.org <mailto:Sks-devel@nongnu.org>
> https://lists.nongnu.org/mailman/listinfo/sks-devel
> <https://lists.nongnu.org/mailman/listinfo/sks-devel>
>
> _______________________________________________
> Sks-devel mailing list
> Sks-devel@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/sks-devel
_______________________________________________
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
