SKS Keyserver Network Under Attack

Mark Rousell markr at
Mon Jul 1 10:37:01 CEST 2019

On 30/06/2019 13:44, Robert J. Hansen wrote:
> This has all the hallmarks of a child playing with matches and
> clapping with glee as the house catches fire.

I think not.

You yourself say that the SKS system has had known problems for well
over a decade and yet nothing has been done about it. In other words,
inertia has overruled both prudence and strategic avoidance of
predictable problems[1].

Well, someone has now brought widespread attention to the issue. By
poisoning the certificate of (at least) two very high-profile members of
this community, they have brought absolutely unavoidable attention to
the fact that something needs to be done *now*. As things stand, it's
still not too late for something to be done to protect the vast majority
of users and use cases.

Good can come of this attack on you and DKG.

Yes, as you say in your Gist, the attackers could have come to you and
worked together. But I can also understand why they didn't: This
approach has made waves, and sometimes waves are necessary to wake up a
community that really knows it should be taking action but hasn't done so.

Both you and DKG are clearly furious that you were targetted (and
rightly so!) but if 'lesser' members of the community had been attacked
in this way it's entirely possible that either no one would have noticed
or that it would not have had the radical shake up effect that this is
now having.

I'm not condoning an attack like this. In the UK (where I am located) it
is likely to be illegal, and it is probably illegal in other
jurisdictions. But I just don't see a "child [...] clapping with glee".

Instead it seems to me that the net result is that long overdue action
is now taking place.

Thank you for all your input into OpenPGP. Yes, it's made you a target.
But, despite the seemingly personal nature of this, it does seem that
good can come of it.

(And for the avoidance of doubt: I do not know who was behind this and
it was not me.)

1: You referred to this inertia as "powerful technical and social
factors" which is true but they still represent a bug, not a feature.
These factors are in effect societal excuses, not legitimate reasons for
lack of action. As I write this, I fully appreciate the fact that very
few people receive remuneration for writing code or maintaining key
servers (or much of anything else connected with OpenPGP). But again,
perhaps this is also a bug of sorts. Perhaps there does need to be a way
for critical non-hierarchical Internet infrastructure like this to be
financed. Isn't Eric S. Raymond working on something like this right now?

Mark Rousell

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list