[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] heads-up: another attack tool, using SKS as FS

From: Human at FlowCrypt
Subject: Re: [Sks-devel] heads-up: another attack tool, using SKS as FS
Date: Sat, 14 Jul 2018 19:51:43 +0800

Thanks Andrew for pointing it out. We could grandfather such keys if their uid length fits within a limit (256 bytes?). But do not return such keys in search results, except when searched directly by fingerprint or longid.

Newly uploaded keys without valid uid email address would not be accepted. 

Speaking of preventing abuse, only email addresses and key ids should get indexed for search, and only strict match should be allowed.

On Sat, Jul 14, 2018, 19:30 Andrew Gallagher <address@hidden> wrote:

> On 14 Jul 2018, at 09:34, Human at FlowCrypt <address@hidden> wrote:
> > > Could this be mitigated by validating email addresses as they come in?
> > No, because ID fields are not required to be email addresses.
> Then let's drop keys that don't contain a valid email address in the key id.

You do realise that the largest use case for PGP keys is package distribution, and many well known package distributors deliberately use signing keys with no email address?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]