keyserver spam

David Shaw dshaw at jabberwocky.com
Fri Dec 16 19:28:13 CET 2011


On Dec 16, 2011, at 10:51 AM, gnupg at lists.grepular.com wrote:

> I understand that once you've uploaded something to the keyservers, it
> can't be removed. Eg, if I sign someone elses key and upload that, it
> will be attached to their key permanently?

Essentially, yes.  Things are theoretically removable, but it takes carefully-timed manual editing on the part of all the keyserver operators to expunge something (or the bad data will just come back). The system is just not designed for that.

> What if someone were to generate say, 10,000 keypairs with "offensive"
> uid names, and then sign my key with each of them, and then upload that
> to the keyservers? Is there anything to stop that?

Nope.

> Is there anything to
> stop a spammer generating a key with their URL in the uid name and then
> signing every key they can find and uploading that to the keyservers?

Nope.

> Has anything like this happened before?

Yes, but only in a few smallish cases.  As far as I recall, nobody has ever done multiple thousands of keys.

I'd be more worried about photo IDs on keys.  Imagine what could be done with someone using the keyserver network to distribute illegal photos.  To be sure, if the point is photo distribution, there are more efficient ways to go about it, but if your goal is to hurt the keyserver network…

David




More information about the Gnupg-users mailing list