duplicate keyid survey results

[Len Sassaman]

On Fri, 8 Mar 2002, David Shaw wrote:

> > I'd like to return only "Found duplicate keys" status to client. If
> > keyserver returns all of duplicate key contents to client, it can be
> > used another DoS attack.
>
> How?
>
> The user does not know if any key from a keyserver is valid or not.
> Even if an attacker creates hundreds of duplicate keys, it does not
> matter since the signatures are what is used to check if the key is
> valid.

Exactly. (I hate to keep harping on this, but...) Key servers should be
storage devices. Let the user figure out if the key should be trusted or
not.

> It is easy to make even a duplicate 64-bit keyid.  If the keyserver
> makes the user go through many extra steps to get a key if there is a
> duplicate keyid, then that is a (mild) denial of service as well.

Agreed. We shouldn't make this harder than it has to be for the user.

I do like the idea of warning the user that multiple keys were returned,
though -- but the more I think about it, the more I think that that
warning should occur client-side.


--Len.