On 16 December 2011 18:50, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > On 12/16/2011 10:51 AM, gn...@lists.grepular.com wrote: >> I understand that once you've uploaded something to the keyservers, it >> can't be removed. Eg, if I sign someone elses key and upload that, it >> will be attached to their key permanently? > > yes, this is correct. :( > >> What if someone were to generate say, 10,000 keypairs with "offensive" >> uid names, and then sign my key with each of them, and then upload that >> to the keyservers? Is there anything to stop that? > > nope. flooding like this is currently possible. :( > >> Is there anything to >> stop a spammer generating a key with their URL in the uid name and then >> signing every key they can find and uploading that to the keyservers? > > nope, this is also possible. :( > >> Has anything like this happened before? > > well, there's the JBARSE key, which i vaguely recall having been created > in a joking way to threaten character assassination, but i can't find > any keys that it has actually signed, nor any documentation to explain > why i have this recollection, so please take with a grain of salt.
I'm wondering if this could be as an attack vector against (say), freedombox, if it became popular e.g. 1. Lets say FBX got a big sponsorship, could the key servers cope with 1 million, 10 million, 100 million new keys? Granted, this is a nice problem to have! :) 2. Could a malicious or anti-freedom oriented entity use this to disrupt the FBX network, for example by using a botnet to keep spamming key servers, similar to email spam botnets. CC: FBX mail list > > --dkg > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
