Weakness in the keyserver network (Was Re: Global Directory signatures)

Fri Jan 7 04:22:02 CET 2005

On Thu, Jan 06, 2005 at 07:27:11PM -0500, Jason Harris wrote:

> As you said, if a key isn't on keyserver.pgp.com, then it is not
> considered usable by that keyserver, so what is the point in issuing
> such short-lived, yet exportable, signatures in the first place?
> Even using yearly signatures, the keyserver needn't export them to
> know that it has signed each key.  IINM, the signatures could be
> marked non- exportable but still be sent to and used by PGP and GPG
> users that want 0xCA57AD7C in their personal WoT.  Then, those
> signatures wouldn't be exported by encryption clients to the regular
> keyservers and it wouldn't matter how often they are [re]issued.  As
> well, all regular keyservers could discard any non-exportable
> signatures they are sent, which would be a lot better than
> hard-coding keyids and retention policies for specific, nuisance,
> automated keysigners.

The whole meaning of non-exportable is that the signatures are, well,
non-exportable.  Having the GD issue non-exportable signatures rather
defeats the point of the thing.  Forgetting for a minute the protocol
issues with this, a simple practical reason why this won't work is
that GnuPG won't import a non-exportable signature without modifying
the config, and PGP won't do it at all.  Mandating code changes in the
clients isn't going to happen since it would require all GD users to
upgrade, which is unrealistic.

You call the GD a "nuisance".  I don't agree.  We can have that
discussion if you like, but perhaps more interesting is that the GD,
nuisance or not, is illuminating weaknesses in the keyserver network.
The keyserver network is dependent on clients being well-behaved.
That's a recipe for abuse if I ever saw one.

To make an extreme example, say there was a rogue signer, pumping out
thousands of signatures a day onto the keyserver network, all set to
expire in a week.  Due to the design of the web of trust, there is no
real impact on it.  However, there is an ugliness to all those
signatures.  UI displays (e.g. vindex) are rendered almost useless.
Over time, this approaches a denial of service when the signed keys
get so big they can't easily be downloaded.  The keyserver database
gets huge.  Lots of bandwidth is used to sync all of those signatures
between the various nodes in the keyserver net.  It gets messy fast.

Now, to be sure, this isn't a brand new keyserver attack that nobody
ever thought of, plus the GD is nowhere near as bad as my example
above.  The GD behavior (being a very prolific signer, with no
particular effort taken to prevent signatures leaking from the GD onto
the keyserver net) is just a reminder that the keyserver net is
vulnerable to this sort of flooding.

If you need a reason other than someone just being mean, spammers
could fairly easily get keyservers to display their ads with this sort
of flooding.  There's incentive right there.  You'll forgive me for
not going into excessive detail how exactly to do it, I hope :)

David