duplicate keyid survey results
Len Sassaman
rabbi@quickie.net
Sat Mar 9 06:26:02 2002
On Fri, 8 Mar 2002, David Shaw wrote:
> > I'd like to return only "Found duplicate keys" status to client. If
> > keyserver returns all of duplicate key contents to client, it can be
> > used another DoS attack.
>
> How?
>
> The user does not know if any key from a keyserver is valid or not.
> Even if an attacker creates hundreds of duplicate keys, it does not
> matter since the signatures are what is used to check if the key is
> valid.
Exactly. (I hate to keep harping on this, but...) Key servers should be
storage devices. Let the user figure out if the key should be trusted or
not.
> It is easy to make even a duplicate 64-bit keyid. If the keyserver
> makes the user go through many extra steps to get a key if there is a
> duplicate keyid, then that is a (mild) denial of service as well.
Agreed. We shouldn't make this harder than it has to be for the user.
I do like the idea of warning the user that multiple keys were returned,
though -- but the more I think about it, the more I think that that
warning should occur client-side.
--Len.