key server security

John Clizbe
Sat Jun 21 10:16:02 2003

Hash: SHA1

Kyle Hasselbacher wrote:

> On Thu, Jun 19, 2003 at 03:09:44PM -0400, David Shaw wrote:
>>No.  The keyservers are add-only for various reasons. [...]
> Sorry if this is a FAQ, but:  why?
> After a thread about a faked key on a key server (which doesn't check
> signatures), I started thinking about a key server which DOES check
> signatures, and strips those it finds lacking.  How do I attack such a
> system?  How do I attack if it if it throws away expired data?  Is there a
> good reason NOT to use a DB backend (like Postgres) to do the storage?
> What's the impact of a black hat owning a key server?
> If all this is answered somewhere else, I'd love a pointer.

You might wish to try the PGP-Keyserver-Folk list.

- --
John P. Clizbe                   Inet:   JPClizbe AT attbi DOT com
Golden Bear Networks             PGP/GPG KeyID: 0x608D2A10
  "Most men take the straight and narrow. A few take the road less
traveled.  I chose to cut through the woods."
  "There is safety in Numbers... *VERY LARGE PRIME* Numbers
9:00PM Tonight on _REAL_IRONY_:  Vegetarian Man Eaten by Cannibals
Version: GnuPG v1.2.2-nr1 (Windows 2000)
Comment: Using GnuPG with Mozilla -