Modified user ids and key servers and a possible security risk?

Daniel Kahn Gillmor dkg at
Wed Aug 25 19:27:18 CEST 2010

On 08/25/2010 01:11 PM, Gregor Zattler wrote:
> Doesn't this open a denial of service attack vector on OpenPGPs
> PKI infrastructure?  I could binary edit your key, the key server
> adds its.

You could also create bogus signatures that claim to be from
non-existent keys and upload them to the keyserver.

> Your correspondent is then not able any more to import
> your key from the server...

my key would still be fetchable from the keyserver, but the bogus user
IDs wouldn't get imported.  The non-bogus material would be accepted by
the client, though.  One busted component doesn't invalidate the entire


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100825/002a63d4/attachment.pgp>

More information about the Gnupg-users mailing list