keyserver spam
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Dec 16 18:50:53 CET 2011
On 12/16/2011 10:51 AM, gnupg at lists.grepular.com wrote:
> I understand that once you've uploaded something to the keyservers, it
> can't be removed. Eg, if I sign someone elses key and upload that, it
> will be attached to their key permanently?
yes, this is correct. :(
> What if someone were to generate say, 10,000 keypairs with "offensive"
> uid names, and then sign my key with each of them, and then upload that
> to the keyservers? Is there anything to stop that?
nope. flooding like this is currently possible. :(
> Is there anything to
> stop a spammer generating a key with their URL in the uid name and then
> signing every key they can find and uploading that to the keyservers?
nope, this is also possible. :(
> Has anything like this happened before?
well, there's the JBARSE key, which i vaguely recall having been created
in a joking way to threaten character assassination, but i can't find
any keys that it has actually signed, nor any documentation to explain
why i have this recollection, so please take with a grain of salt.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20111216/b8957306/attachment.pgp>
More information about the Gnupg-users
mailing list