Re: Do we need to secure our keyservers against kind of DoS Attacks

[John Clizbe <JPClizbe@xxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph Anton Mitterer wrote:
> On Sun, 2009-02-01 at 16:25 -0500, Daniel Kahn Gillmor wrote:
>> So: Is this scheme fully implemented and easy-to-use yet?  No.  But
>> the pieces are there, and it's already been assembled piecemeal with
>> currently-available tools.  If you are interested, or manage to push
>> it further, i'd be very happy to hear about your progress.

> Well my time's limited ^^...
> I had hoped to get somehow in contact with the keyserver software
> developers,..

sks-devel[AT]nongnu.org

Yaron Minsky did the development work, but doesn't have time for new development
only maintenance.

The other keyserver list, pgp-keyserver-folk[AT]alt.org, seems to have gone missing.

> The keyservers should also communicate secured with each other,.. in you
> setup there's still the (of course very small) chance that the secure
> keyserver (e.g. your's) is already attacked and doesn't get the full
> data during its synchronisation with the others,... 

Under SKS, it will get that data from another keyserver. To forge a key would
require co-opting and taking simultaneous control of all the SKS keyservers.

To fool a keyserver would require being able to fake hashes of the database
contents on-the-fly.

> and I suppose most people use one of the "big/wellknown" keyservers when
> submitting their keys.

Yeah, even when the code the keyserver runs is broken/orphaned.

> And as you've said, one important point would be client support...
> The average user probably don't want to set up socat or any similar
> proxy.

No, it would have to be done in the client.

- --
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys@xxxxxxxxxxxxxx?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4907-2008-12-21 (Windows XP)
Comment: When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Comment: Be part of the £33† ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with SeaMonkey - http://enigmail.mozdev.org

iJwEAQECAAYFAkmGTk4ACgkQvh+YERi7Nzp22QP/TeruwklRnyW0M4K0fpLJursc
cHQYb52ma0BhADsZW0YbU/YX4R2303gIrNkg0XDmrVZZ4v7//D2Qod6PCKvXRlrg
XCWASWmECorNe/cE+7REu4NZD8TxHAVexzwEAGIEJsOmdzyWllU3hBgzFA1F1E5j
AsDmH9Rk3npVJRtu4+uIRgQBEQIABgUCSYZOTgAKCRAdBKxKYI0qECUTAJ44dzIM
d0wDJnN62gmUzxhU8QWYdgCfeKeWjZvv6nQ3LS8N65zp7s4Nq5o=
=ZBt6
-----END PGP SIGNATURE-----