Re: [Sks-devel] Oh, Jeeez...!

[Kristian Fiskerstrand]

On 05/27/2016 02:10 PM, Samir Nassar wrote:
> On 05/24/2016 06:33 AM, Kiss Gabor (Bitman) wrote:
>> Have you remembered I'm continuosly worrying about
>> trolls pumping 10-20 millions of dummy keys into key servers?
>> It is started...
> 
> Is there a technical reason why a keyserver like SKS can't remain
> append-only but require that all submitted keys be submitted via
> PGP-signed request of the key-owner?
> 
> Wouldn't this help mitigate this kind of griefing?
> 

No

* For one thing, keyservers doesn't verify signatures / do cryptographic
operations at all, but leaving that aside.

* You can anyways just generate a new key with the data you want added,
which would validate the signature requirement

* You would introduce a system where you trust the keyserver first
receiving the change if you accept data transfer through gossip
afterwards, breaking fundamental principles of distributed approach.


-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"If you choose to sail upon the seas of banking, build your bank as you
would your boat, with the strength to sail safely through any storm."
(Jacob Safra (1891–1963))

signature.asc
Description: OpenPGP digital signature