key server security

John Clizbe JPClizbe@attbi.com
Sat Jun 21 10:16:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kyle Hasselbacher wrote:

> On Thu, Jun 19, 2003 at 03:09:44PM -0400, David Shaw wrote:
>
>>No.  The keyservers are add-only for various reasons. [...]
>
> Sorry if this is a FAQ, but:  why?
>
> After a thread about a faked key on a key server (which doesn't check
> signatures), I started thinking about a key server which DOES check
> signatures, and strips those it finds lacking.  How do I attack such a
> system?  How do I attack if it if it throws away expired data?  Is there a
> good reason NOT to use a DB backend (like Postgres) to do the storage?
>
> What's the impact of a black hat owning a key server?
>
> If all this is answered somewhere else, I'd love a pointer.

You might wish to try the PGP-Keyserver-Folk list.
pgp-keyserver-folk-subscribe@flame.org


- --
John P. Clizbe                   Inet:   JPClizbe AT attbi DOT com
Golden Bear Networks             PGP/GPG KeyID: 0x608D2A10
  "Most men take the straight and narrow. A few take the road less
traveled.  I chose to cut through the woods."
  "There is safety in Numbers... *VERY LARGE PRIME* Numbers
9:00PM Tonight on _REAL_IRONY_:  Vegetarian Man Eaten by Cannibals
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr1 (Windows 2000)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+9BSIHQSsSmCNKhARAmNkAKCHRGQdNRCCcZ15Ok4cWXGtKJ1bYwCglXYV
p+fcns+2dcJEddJfJTXbios=
=seZA
-----END PGP SIGNATURE-----