[Freedombox-discuss] keyserver spam

John Walsh fiftyfour at waldevin.com
Thu Dec 22 00:00:27 UTC 2011


Hi Everybody,

Geez. Just when I get PGP Certificates and the Web of Trust, I discover it's
susceptible to spammers 8( 
Comments inline.

> -----Original Message-----
> From: 
> freedombox-discuss-bounces+fiftyfour=waldevin.com at lists.alioth
> .debian.org 
> [mailto:freedombox-discuss-bounces+fiftyfour=waldevin.com at list
> s.alioth.debian.org] On Behalf Of Melvin Carvalho
> Sent: Wednesday, 21 December 2011 2:32 AM
> To: GnuPG Users
> Cc: freedombox-discuss; gnupg at lists.grepular.com
> Subject: Re: [Freedombox-discuss] keyserver spam
> 
> On 16 December 2011 18:50, Daniel Kahn Gillmor 
> <dkg at fifthhorseman.net> wrote:
> > On 12/16/2011 10:51 AM, gnupg at lists.grepular.com wrote:
> >> I understand that once you've uploaded something to the 
> keyservers, 
> >> it can't be removed. Eg, if I sign someone elses key and 
> upload that, 
> >> it will be attached to their key permanently?
> >
> > yes, this is correct. :(
> >
> >> What if someone were to generate say, 10,000 keypairs with 
> "offensive"
> >> uid names, and then sign my key with each of them, and then upload 
> >> that to the keyservers? Is there anything to stop that?
> >
> > nope.  flooding like this is currently possible. :(
These keyservers are public. Could each FBX have it's own private keyserver
which restricts who can sign/trust/upload keys, while still remain connected
to the wider Web of Trust (keyserver) ecosystem?

For example, only those who are "friends" (two way connection) are allowed
to sign my keys. There could be another rule that I only trust keys of my
direct family (parents, siblings, children). All this could be
abstracted/automated for users as long as they have an FBX. Am I just
dreaming?

> >
> >> Is there anything to
> >> stop a spammer generating a key with their URL in the uid name and 
> >> then signing every key they can find and uploading that to 
> the keyservers?
> >
> > nope, this is also possible. :(

> >
> >> Has anything like this happened before?
> >
> > well, there's the JBARSE key, which i vaguely recall having been 
> > created in a joking way to threaten character assassination, but i 
> > can't find any keys that it has actually signed, nor any 
> documentation 
> > to explain why i have this recollection, so please take 
> with a grain of salt.
> 
> I'm wondering if this could be as an attack vector against 
> (say), freedombox, if it became popular e.g.
> 
> 1. Lets say FBX got a big sponsorship, could the key servers cope with
> 1 million, 10 million, 100 million new keys?
> 
> Granted, this is a nice problem to have! :)
> 
> 2. Could a malicious or anti-freedom oriented entity use this 
> to disrupt the FBX network, for example by using a botnet to 
> keep spamming key servers, similar to email spam botnets.
> 
> CC: FBX mail list
> 
> >
> >        --dkg
> >
> >
> > _______________________________________________
> > Gnupg-users mailing list
> > Gnupg-users at gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> >
> 
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedo
> mbox-discuss




More information about the Freedombox-discuss mailing list