Could this be mitigated by validating email addresses as they come in? Like
sending an encrypted mail to the said address with a return token, If the token
is not provided the key is never put into the SKS rotation?
I think a solution like this would be much more effective, and if there was
some desire to conform to GDPR at some point it would be pretty much required
first step because I cannot see how we could possibly remove keys without a
command signed by that key, and putting this in place would make that ‘no more
difficult to remove than it was to add’..
Regards,
-Ryan Hunt
On Jul 13, 2018, at 11:20 AM, Phil Pennock <address@hidden> wrote:
Signed PGP part
Heads-up:
https://medium.com/@mdrahony/are-pgp-key-servers-breaking-the-law-under-the-gdpr-a81ddd709d3e
https://github.com/yakamok/keyserver-fs
https://lobste.rs/s/sle0o4/are_pgp_key_servers_breaking_law_under
This `keyserver-fs` is software to attack SKS, using it as a filesystem, in
what appears to be a deliberate attack on the viability of continuing to
run a keyserver.
The author is upset that there's no deletion, so is pissing in the pool.
-Phil
_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel