Modified user ids and key servers and a possible security risk?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Aug 25 18:58:55 CEST 2010 

On 08/25/2010 12:18 PM, thomas weidner wrote:
> Hello,
> 
> i started using gpg (with enigmail) today and found out i have
> already a key for my e-mail address on the key servers which i had
> completely forgotten about. Of cause i do have the private key for
> this old key any more. Therefore i created a new key. Some sources on
> the web suggested leaving a message in the old key which states that
> the key is not used any more. to do this i binary edited a gpg files
> and uploaded the modified old key to the keyserver again. the result
> looked promising: 
> http://pgpkeys.pca.dfn.de/pks/lookup?op=vindex&search=0x6260AB5E079E8AA6
>
>  Is this a security risk? I could do this for any key and leave
> wrong messages on the key server which point to some other key. After
> a discussion on #gnupg i was told that gpg will not import the added
> user id because the signature is wrong. while this is great for
> security the key server still shows the user id. is it a bug in the
> key server, that it does not check new data for validity?

keyservers do no cryptographic verification whatsoever.  I think this is
(historically) for several reasons:

 0) the clients receiving the OpenPGP certificates need to verify the
material anyway, and

 1) adding the cryptographic checks to the keyservers is a non-trivial
amount of work, and

 2) there is no guarantee that the keyservers will support any specific
cryptographic protocol.  For example, as elliptic curve keys get rolled
out for OpenPGP, what should cryptographic-capable (RSA, DSA, and
ElGamal) keyservers do with such new keys?  what should they do with
certifications over old keys made by such keys?  And

 3) With the exception of self-signatures, it's entirely possible that
the keyserver does not have a copy of the issuer's key, and so can't
compute the validity of the signature in the first place.

So: is this a cryptographic risk? no, not for clients who verify things
on their own.  Is it a risk of cruft accumulating in the keyservers?
yep.  Does it mean you shouldn't trust the information you see published
in a keyserver web page without fetching the keys and verifying them
locally?  yes, but that remains true whether or not you believe that the
keyserver is implementing cryptographic checks, as the keyserver itself
could be compromised.

On balance, i think we should probably start considering adding crypto
to keyservers, with the knowledge of these particular constraints.  But
it's not there yet.

As always, i'd be happy to hear other people's perspectives on this stuff.

	--dkg

[0] http://tools.ietf.org/html/draft-jivsov-openpgp-ecc-05

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100825/239a41a2/attachment-0001.pgp>

More information about the Gnupg-users mailing list