[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do we need to secure our keyservers against kind of DoS Attacks

On Sat, 2009-01-31 at 16:30 -0800, Wim Lewis wrote:
> One of the  
> strengths of the PGP setup, I think, is that you don't have to trust  
> the keyserver;
Well I think you already do this or better said, the whole PKI does it.
It's just not yet secured.

> An end-to-end approach is better, IMHO. (It also protects against the  
> opposite side of the equation: is Mallory secretly stripping the  
> revocation certificate out of your friend's uploads to the keyserver?  
> Also, I don't want to have to make trust/policy decisions based on  
> how much I trust the people running the keyserver, how strong my  
> trust path is to their key, and so on. That way lies X.509...)  
Yeah but again,.. I think you're already doing this, otherwise you'd
have to retrieve all you key updates manually from the key owners (e.g.
every day or so). Even worse, you'd also have to retrieve updates by the
signers to the keys of your keyrings, and their signers and so on..

> Notionally, I want some sort of periodic, signed communication from  
> other keyholders, saying, "The official state of my key-and- 
> subpackets is X. Expect another message before date Y".
But this is very difficult, as it's probably not enough to only get the
official state of the key of your direct contacts (see above)

> However, not  
> all of the subpackets are really important: if I'm missing a  
> signature from someone else,
But what if this signature is part of the trust path?

>  or an alternate user ID, I'm not going  
> to trust you any *more* than if I have it. So this thing only needs  
> to cover packets which reduce trust --- revocations, I guess. (Am I  
> missing a scenario here?)
I think you miss the case of keys, that you didn't sign yourself, but
have some indirect trust path to it.

> But is this actually any different from periodically renewing a set  
> of expiring signatures? (I don't think so, but I could easily be  
> missing stuff.) In which case, OpenPGP already supplies everything  
> needed to prevent this sort of denial-of-key-distribution attack.

> Of course I think securing the keyserver communication is *also*  
> good, as long as the trust model doesn't depend on it. :)
I think it actually DOES depend on it. Even if you'd completely forget
keyservers and imagine that you directly exchange the keys with your
direct contacts (I mean that official most recent state of the key), you
could "loose" their revocation certs when an attacker strips them of.
So even in that case, your direct contact would have to sign the whole
key as if it would be casual data.

Or am I wrong?

Best wishes,
Christoph Anton Mitterer
Ludwig-Maximilians-UniversitÃt MÃnchen


Attachment: smime.p7s
Description: S/MIME cryptographic signature