key server security
John Clizbe
JPClizbe@attbi.com
Sat Jun 21 10:16:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kyle Hasselbacher wrote:
> On Thu, Jun 19, 2003 at 03:09:44PM -0400, David Shaw wrote:
>
>>No. The keyservers are add-only for various reasons. [...]
>
> Sorry if this is a FAQ, but: why?
>
> After a thread about a faked key on a key server (which doesn't check
> signatures), I started thinking about a key server which DOES check
> signatures, and strips those it finds lacking. How do I attack such a
> system? How do I attack if it if it throws away expired data? Is there a
> good reason NOT to use a DB backend (like Postgres) to do the storage?
>
> What's the impact of a black hat owning a key server?
>
> If all this is answered somewhere else, I'd love a pointer.
You might wish to try the PGP-Keyserver-Folk list.
pgp-keyserver-folk-subscribe@flame.org
- --
John P. Clizbe Inet: JPClizbe AT attbi DOT com
Golden Bear Networks PGP/GPG KeyID: 0x608D2A10
"Most men take the straight and narrow. A few take the road less
traveled. I chose to cut through the woods."
"There is safety in Numbers... *VERY LARGE PRIME* Numbers
9:00PM Tonight on _REAL_IRONY_: Vegetarian Man Eaten by Cannibals
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr1 (Windows 2000)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+9BSIHQSsSmCNKhARAmNkAKCHRGQdNRCCcZ15Ok4cWXGtKJ1bYwCglXYV
p+fcns+2dcJEddJfJTXbios=
=seZA
-----END PGP SIGNATURE-----