Keyserver doesn't honour removed signatures
dshaw at jabberwocky.com
Wed Apr 15 19:00:19 CEST 2009
On Apr 15, 2009, at 8:35 AM, Chris Hills wrote:
> On 14/04/09 14:32, Werner Koch wrote:
>> No. The Net never forgets. A keyservers will never remove
>> because signatures go into the key validation computation and thus
>> removing signatures would change the validity of your key.
>> are also used for revocations.
> Hypothetically, if a key is signed using another key which contains
> a jpg image of something illegal in the keyserver's location, what
> then? It would seem to me that the only option would be to remove
> the keyserver from the keyserver network.
Yes, this has been pointed out in the past. The attack that I came up
with was a bit different - use the keyserver net as your porn/warez/
kiddie porn/etc distribution point. Just upload keys with whatever
you like embedded in them. The keyserver net takes care of
distribution for you, and your "customers" can download your material
from whichever keyserver they like (or run their own keyserver and get
content synced to them on a regular basis).
More information about the Gnupg-users