Keyserver doesn't honour removed signatures

David Shaw dshaw at jabberwocky.com
Wed Apr 15 19:00:19 CEST 2009


On Apr 15, 2009, at 8:35 AM, Chris Hills wrote:

> On 14/04/09 14:32, Werner Koch wrote:
>> No.  The Net never forgets.  A keyservers will never remove  
>> signatures
>> because signatures go into the key validation computation and thus
>> removing signatures would change the validity of your key.   
>> Signatures
>> are also used for revocations.
>
> Hypothetically, if a key is signed using another key which contains  
> a jpg image of something illegal in the keyserver's location, what  
> then? It would seem to me that the only option would be to remove  
> the keyserver from the keyserver network.

Yes, this has been pointed out in the past.  The attack that I came up  
with was a bit different - use the keyserver net as your porn/warez/ 
kiddie porn/etc distribution point.  Just upload keys with whatever  
you like embedded in them.  The keyserver net takes care of  
distribution for you, and your "customers" can download your material  
from whichever keyserver they like (or run their own keyserver and get  
content synced to them on a regular basis).

David




More information about the Gnupg-users mailing list