Key poisoning

Peter Lebbing peter at
Thu Aug 15 11:26:31 CEST 2019

On 15/08/2019 08:50, Robert J. Hansen wrote:
> Additionally, the bad guys can create new malicious certificates faster
> than the keyserver network can blacklist.

Plus, the attacker could just create a signature that looks likely to be
real (self-sig or existing third-party sig seems a good candidate). Only
when actually doing the cryptographic verification will it turn out to
be fake anyway. By that time the amount of processing GnuPG has done is
already enough for the denial of service.

I think the attacker only used cryptographically valid signatures
because it was easier to use existing tooling. There is no reason for
the poison to be cryptographically valid. It just has to be slightly
expensive to verify. GnuPG doesn't even get to the bit where the
signature is validated, since the signing key isn't on the keyring, and
still, we have this DoS.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list