keyserver spam

David Shaw dshaw at jabberwocky.com
Sat Dec 17 16:17:30 CET 2011


On Dec 17, 2011, at 8:23 AM, gnupg at lists.grepular.com wrote:

> On 16/12/11 19:07, vedaal at nym.hush.com wrote:
> 
>> What if keyservers were to limit the amount of keys generated or 
>> uploaded to a 'reasonable' amount which no 'real' user would 
>> exceed?
>> 
>> (i.e. 10/day, or some other number discussed and agreed upon by the 
>> various keyservers?)
> 
> You could still successfully mess with someone by signing their key with
> offensive or spammy content ten times a day.
> 
> I find it strange that the keyservers don't do any sort of email
> validation before accepting key submissions and that they just allow
> anyone to upload signatures for your key without verifying if you want
> to allow them first.

There is such a keyserver, made by the PGP company (now run by Symantec, I suppose): http://keyserver.pgp.com/

It's an interesting server, with different semantics than the traditional keyserver net that we were talking about earlier.  Most significantly, it emails the keyholder (at the address on the key) before accepting the key into the server.  It also signs keys that are submitted to it, which allows people to leverage this email checking in their own trust calculations, but can also "litter" keys with repeated signatures.  If I recall, it is (or perhaps was) the default keyserver for PGP installations.

Of necessity, this server does not synchronize with other keyservers, which is either a good or bad thing, depending on who you ask ;)

David




More information about the Gnupg-users mailing list