[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] heads-up: another attack tool, using SKS as FS

From: Ryan Hunt
Subject: Re: [Sks-devel] heads-up: another attack tool, using SKS as FS
Date: Fri, 13 Jul 2018 18:57:10 -0600

Could this be mitigated by validating email addresses as they come in? Like 
sending an encrypted mail to the said address with a return token, If the token 
is not provided the key is never put into the SKS rotation?

I think a solution like this would be much more effective, and if there was 
some desire to conform to GDPR at some point it would be pretty much required 
first step because I cannot see how we could possibly remove keys without a 
command signed by that key, and putting this in place would make that ‘no more 
difficult to remove than it was to add’..

-Ryan Hunt

> On Jul 13, 2018, at 11:20 AM, Phil Pennock <address@hidden> wrote:
> Signed PGP part
> Heads-up:
> This `keyserver-fs` is software to attack SKS, using it as a filesystem, in
> what appears to be a deliberate attack on the viability of continuing to
> run a keyserver.
> The author is upset that there's no deletion, so is pissing in the pool.
> -Phil

reply via email to

[Prev in Thread] Current Thread [Next in Thread]