duplicate keyid survey results

Oyvind A. Holm sunny@sunbase.org
Sat Mar 9 10:25:01 2002

Hash: SHA1

On 2002-03-09 13:03 Hironobu SUZUKI wrote:
> David Shaw <dshaw@jabberwocky.com> wrote:
> > If you don't think this is the right way to go, what do you suggest
> > as an alternative? I think a warning is fine, but not returning one
> > of the keys leaves the keyserver open for a denial of service
> > attack.
> I'd like to return only "Found duplicate keys" status to client. If
> keyserver returns all of duplicate key contents to client, it can be
> used another DoS attack.

Not if the server displays a terse list of all the keys from which the
user can choose the desired key. Additionally there could be some cron
jobs running on the server once a week or something that searches for
duplicated fake keys and reports to the maintainer. But then we have
the "problem" of getting the same key back again when some of the other
key servers reinstall the key. If we were to get rid of obvious faked
keys, they should be disabled on the server, but I doubt this a big
enough problem to make any special arrangements for it.

IMHO the danger of DoS attacks due to duplicate 32-bits keyIDs is not
very big. If there were lots of keys showing up as duplicates, there
would not be a significant amount of resources needed from the server.
Waste of bandwith, yes, but I don't think it would result in a DoS
situation. But then, I have no clue of the inner workings of the server
software, so please correct me if I'm wrong. :-)

I think the option of specifying the fingerprint is a good idea. Not
necessarily the whole bunch of bits, just enough to make it unique.


| OpenPGP: 0x629022EB 2002-02-24 =D8yvind A. Holm <sunny@sunbase.org> |
| Fingerprint: DBE9 8D44 67F7 42AC 2CA1  7651 724E 9D53 6290 22EB   |
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Why, Micro=
soft=AE, WHY??? =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

Version: GnuPG v1.0.6 (GNU/Linux)