[Sks-devel] keyserver problems and threats

[Olaf Gellert]

Hi all,

the new year just started and I found a good reason
to think again about some things that came into my
mind a few years ago: A colleague of mine recently
finished a bachelor thesis on the problems of pgp
key servers. In a way we all operate and use a network
of keyservers that somehow waits for the first bad
guys to come by and do some naughty things. The first
idea I had some years ago was "uploading keys with
copyrighted or pornographic picture IDs", another idea
of my colleague was "using the keyserver network as a
nice, distributed and very reliable backup for huge
amounts of data" (split into lots of key packets). Even
if Europe would vanish completely my data would still
survive on some of the other keyservers. Wow! What else
will we see in the time to come?

Well, you might have a look into the thesis, it sums
up some of the problems (mostly design issues and a
small amount of implementation issues):

http://www.informatik.uni-hamburg.de/SVS/theses/06-08-27-BT-Holst-PGP-Key-Servers.pdf

Maybe I am a bit pessimistic which is a good mentality
for a security researcher and a bad one for nearly
everything else ;-)
But anyway, a few years ago some people forgot about
authentication for most internet based services and
now we have all these nice things like spam, worm
attacks, trojan horses etc... So I am curious what
awaits us keyserver-folks in the next years. And I
hope that we might win the race though I am sure we'll
have to develop a new generation of tamper resistant
key servers using more secure protocols. Any takers?

Cheers and a good start in 2007. :-)

Olaf

-- 

Dipl.Inform. Olaf Gellert                   INTRUSION-LAB.NET
Senior Researcher,                      www.intrusion-lab.net
PKI - and IDS - Services        address@hidden