Modified user ids and key servers and a possible security risk?
telegraph at gmx.net
Wed Aug 25 19:11:09 CEST 2010
Hi Daniel, gnupg-users,
* Daniel Kahn Gillmor <dkg at fifthhorseman.net> [25. Aug. 2010]:
> On 08/25/2010 12:18 PM, thomas weidner wrote:
>> Some sources on the web suggested leaving a message in the old
>> key which states that the key is not used any more. to do this
>> i binary edited a gpg files and uploaded the modified old key
>> to the keyserver again. the result looked promising:
>> Is this a security risk? I could do this for any key and leave
>> wrong messages on the key server which point to some other key. After
>> a discussion on #gnupg i was told that gpg will not import the added
>> user id because the signature is wrong. while this is great for
>> security the key server still shows the user id. is it a bug in the
>> key server, that it does not check new data for validity?
> keyservers do no cryptographic verification whatsoever. I think this is
> (historically) for several reasons:
> 0) the clients receiving the OpenPGP certificates need to verify the
> material anyway, and
> 1) adding the cryptographic checks to the keyservers is a non-trivial
> amount of work, and
> 2) there is no guarantee that the keyservers will support any specific
> cryptographic protocol. For example, as elliptic curve keys get rolled
> out for OpenPGP, what should cryptographic-capable (RSA, DSA, and
> ElGamal) keyservers do with such new keys? what should they do with
> certifications over old keys made by such keys? And
> 3) With the exception of self-signatures, it's entirely possible that
> the keyserver does not have a copy of the issuer's key, and so can't
> compute the validity of the signature in the first place.
But the selfsig would be enough to verify the legitimacy of new
> So: is this a cryptographic risk? no, not for clients who verify things
> on their own.
Doesn't this open a denial of service attack vector on OpenPGPs
PKI infrastructure? I could binary edit your key, the key server
adds its. Your correspondent is then not able any more to import
your key from the server...
> Is it a risk of cruft accumulating in the keyservers?
> yep. Does it mean you shouldn't trust the information you see published
> in a keyserver web page without fetching the keys and verifying them
> locally? yes, but that remains true whether or not you believe that the
> keyserver is implementing cryptographic checks, as the keyserver itself
> could be compromised.
> On balance, i think we should probably start considering adding crypto
> to keyservers, with the knowledge of these particular constraints. But
> it's not there yet.
> As always, i'd be happy to hear other people's perspectives on this stuff.
>  http://tools.ietf.org/html/draft-jivsov-openpgp-ecc-05
-... --- .-. . -.. ..--.. ...-.-
More information about the Gnupg-users