Garbled data in keyservers

Dirk Gottschalk dirk.gottschalk1980 at googlemail.com
Tue Dec 18 22:57:36 CET 2018


Hi Stefan.

Am Sonntag, den 16.12.2018, 22:06 +0100 schrieb Stefan Claas:
> On Sun, 09 Dec 2018 20:34:55 +0100, Dirk Gottschalk wrote:
> > Am Sonntag, den 09.12.2018, 20:03 +0100 schrieb Stefan Claas:
> > > My proposal could be run also in parallel. I think it would be
> > > only a weekend job for a programmer to modify the server code,
> > > so that it accepts only incoming and verified email and not web
> > > or GnuPG via Tor submissions.  
> > A weekend job... Muhahahahahahaha, you don't do much programming,
> > don't you? One would have to write an email bot, change the
> > keyserver code to no longer accept submissions via HKP, then it
> > would be neccessary do disable HKP for upload in GnuPG to avoid
> > broken Clients and so on.

> While testing today how to make someones pub key non-importable,non-
> receivable, with an evil version of GnuPG, I am wondering about the
> following:

> Is it not possible that for pub key submissions GnuPG could be
> installed on key servers to check if the key material is valid, prior
> keys got added?

This would be possible for sure. Most Servers I know run on Linux, GPG
should be installed anyways. The simpliest way would be to store the
key temporarily, try to import it into a dummy keyring and check the
success/failure of the import. On Success use the key, on failure
reject it.

> My test today showed me that it looks like that GnuPG is not used on
> key servers.

That's true. I also don't know a server doing it this way, but it would
be possible without the need to break the actual HKP.


> In case if there would be email submissions possible, in the future,
> i think it could work something like this: Install postfix and
> procmail, while procmail would pipe that message to gnupg for
> verification of valid key data, prior the pub key gets added to the
> pool.

This would be possible, too.
Years ago there was an email submission possibility. Some mail clients
even had a menu item to add the ascii armoured key into the mail body.
But, this functions have gone years ago. I think nobody really used it,
so it was abandonned.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181218/297ed368/attachment.sig>


More information about the Gnupg-users mailing list