duplicate keyid survey results

David Shaw dshaw@jabberwocky.com
Sat Mar 9 05:19:02 2002

On Sat, Mar 09, 2002 at 01:03:03PM +0900, Hironobu SUZUKI wrote:
> > Even so, the user can see their 64-bit keyid by adding the
> > "--with-colons" option to the usual --list-keys or --list-sigs
> Thanks!
> > If you don't think this is the right way to go, what do you suggest
> > as an alternative?  I think a warning is fine, but not returning one
> > of the keys leaves the keyserver open for a denial of service
> > attack.
> I'd like to return only "Found duplicate keys" status to client. If
> keyserver returns all of duplicate key contents to client, it can be
> used another DoS attack.


The user does not know if any key from a keyserver is valid or not.
Even if an attacker creates hundreds of duplicate keys, it does not
matter since the signatures are what is used to check if the key is

> Then, user can select two thing which are retrieve by 64-bit keyid or
> via Web interface.
> User may access an exact key via Web interface with database OID
> number (this numbers are not appeared to user) to check key contents
> and get it by their own risk.

It is easy to make even a duplicate 64-bit keyid.  If the keyserver
makes the user go through many extra steps to get a key if there is a
duplicate keyid, then that is a (mild) denial of service as well.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson