Garbled data in keyservers

Werner Koch wk at
Wed Dec 5 18:53:20 CET 2018

On Wed,  5 Dec 2018 17:34, stefan.claas at said:

> Can you give more details about the security aspect?

People believe that the keyservers magically return a matching key for a
mail address.  There is no guarantee for this.  In fact all people from
the strong had meanwhile expired faked key on the servers, which was not
easy to detect given that they were also signed by faked keys from the
strong set.

Thus if you have the capability to sniff mail you would upload a faked
key and hope that future senders pick up that faked key and encrypt to
it.  You can now intercept that mail, read it, encrypt to the real key
and send on.  Even if you can't mount such an active MitM you can
simply send on the newly encrypted mail with an additional line "sorry, I
encrypted to the wrong key".

Right the Web of Trust would stop this attack, but most people are not
part of the WoT.  Simple methods for initial /key discovery/ are
required.  Even autocrypt is better than keyservers and with the Web Key
Directory you can get an even better assurance that it is the correct

> run their own key server and analyze the data. So what purpose should
> your suggestion serve?

The additional benefit is that this would take away the load from the
servers and allow that we can get back the large mesh of keyservers.
Without being able to search user-ids it does not anymore make sense to
use keyservers as search engines for magnet links to Bittorrent
distributed data.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list