Modified user ids and key servers and a possible security risk?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Aug 25 19:27:18 CEST 2010
On 08/25/2010 01:11 PM, Gregor Zattler wrote:
> Doesn't this open a denial of service attack vector on OpenPGPs
> PKI infrastructure? I could binary edit your key, the key server
> adds its.
You could also create bogus signatures that claim to be from
non-existent keys and upload them to the keyserver.
> Your correspondent is then not able any more to import
> your key from the server...
my key would still be fetchable from the keyserver, but the bogus user
IDs wouldn't get imported. The non-bogus material would be accepted by
the client, though. One busted component doesn't invalidate the entire
certificate.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100825/002a63d4/attachment.pgp>
More information about the Gnupg-users
mailing list