undefined | Better HN

0 pointsdiafygi10y ago0 comments

The SKS keyserver pool (which keys.gnupg.net alias's to) doesn't do any cryptographic verification, even verifying self-signatures, before upload. The software just checks to see if the format is valid.

It's up to the clients to do their own verification, which in this case GPG does perfectly (it doesn't import the invalid subkey since the self-signature is invalid).

0 comments

davout10y ago

If it's true it's a nice DoS vector

lutoma10y ago

fwiw this is currently being discussed on the sks mailing list, but the overwhelming opinon seems to be that the current behaviour should stay. https://lists.nongnu.org/archive/html/sks-devel/2015-05/msg0...

j / k navigate · click thread line to collapse

0 pointsdiafygi10y ago0 comments

It's up to the clients to do their own verification, which in this case GPG does perfectly (it doesn't import the invalid subkey since the self-signature is invalid).

0 comments

davout10y ago

If it's true it's a nice DoS vector

lutoma10y ago

j / k navigate · click thread line to collapse