hashed user IDs [was: Re: Security of the gpg private keyring?]

Robert J. Hansen rjh at sixdemonbag.org
Thu Mar 10 14:10:32 CET 2011


On 3/10/2011 5:23 AM, Hauke Laging wrote:
> You made a brute force calculation. Why should keyservers allow brute force 
> searches for hash IDs? If you use millions of remotely controlled idiot PCs 
> simultaneously for that then it may be hard to track them but then we are 
> close to a DoS, aren't we?

Not at all.  Every few days the keyserver network posts complete dumps
of all the certificates in the system.  (Or, more accurately, various
people within the network do.)  This exists so that new volunteers who
want to contribute their services to the community can get their own
servers bootstrapped.

If I want to brute-force the certificates, I'd just say, "hey, I'm
interested in standing up a new keyserver," get a dump of all the certs,
and then do the brute forcing on my own system without ever needing to
hit the network.



More information about the Gnupg-users mailing list