Garbled data in keyservers
Stefan Claas
stefan.claas at posteo.de
Sun Dec 16 22:06:55 CET 2018
On Sun, 09 Dec 2018 20:34:55 +0100, Dirk Gottschalk wrote:
> Am Sonntag, den 09.12.2018, 20:03 +0100 schrieb Stefan Claas:
> > My proposal could be run also in parallel. I think it would be
> > only a weekend job for a programmer to modify the server code,
> > so that it accepts only incoming and verified email and not web
> > or GnuPG via Tor submissions.
> A weekend job... Muhahahahahahaha, you don't do much programming, don't
> you? One would have to write an email bot, change the keyserver code to
> no longer accept submissions via HKP, then it would be neccessary do
> disable HKP for upload in GnuPG to avoid broken Clients and so on.
While testing today how to make someones pub key non-importable,non-
receivable, with an evil version of GnuPG, I am wondering about the following:
Is it not possible that for pub key submissions GnuPG could be installed
on key servers to check if the key material is valid, prior keys got added?
My test today showed me that it looks like that GnuPG is not used on
key servers.
In case if there would be email submissions possible, in the future, i think
it could work something like this: Install postfix and procmail, while
procmail would pipe that message to gnupg for verification of valid key
data, prior the pub key gets added to the pool.
Well, just some thoughts.
Regards
Stefan
--
https://www.behance.net/futagoza
https://keybase.io/stefan_claas
More information about the Gnupg-users
mailing list