On Wed, 3 Jul 2019 12:35, gnupg-users@gnupg.org said: > problem but I have read RJH's article). It sounds like SKS servers can > handle these poisoned keys but GPG can't. That suggests that maybe GPG's
I think here is a misunderstanding. Sure, processing 150k signatures takes quite some time and makes things very slow. This is why we call it a DoS. We can't do much about it. Compare it to X.509 CRLs - they have a very similar problem (cacert.org is a prominent but not the only example of CRLs making S/MIME processing very slow). The actual problem in gpg when using the keybox format is that only after processing the imported keys we hit a 5MiB limit for the keyblock in the database layer. Thus the import fails. Determining the size of the keyblock as it will be stored requires that we first remove some (standard) garbage from the keyblock - this takes some time. With the currently deployed code gpg will just reject any updates from a key if that limit was reached. That is not a good choice and the reason why I call it a bug. The fix to this bug is to fallback importing a stripped down version of the key. The current state is that we keep only self-signatures and then then import again with import-clean (which is then basically identical to import-minimal). > For example, if the problem is overuse of resources such as memory, could > the keyring handling code be rewritten to use fewer resources? e.g. treat Years ago we had the problem that people uploaded keys with large user ids and such. Thus we introduced limits to avoid spamming the keyring with such faked data. There is also an overall limit of 5 MiB for the entire keyblock which is sufficient for all real-world keyblocks - even for those with many key-signatures. > signatures when importing a key, perhaps there could be a limit to how many > signatures GPG will verify. Does it really have to verify every single one? It needs to validate all self-signature because they make up the integrity of the keyblock. For key-signature, sure we could introduce a limit, we actually do that with import-clean because that imports only those key-signature which we can verify and which are the latest from the same key (it is possible to sign a key several times to change meta data associated with the key-signature). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
