ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Do we need to secure our keyservers against kind of DoS Attacks

2009-02-01 10:19:15
from [Christoph Anton Mitterer] [Permanent Link] 
On Sat, 2009-01-31 at 16:30 -0800, Wim Lewis wrote:

One of the  
strengths of the PGP setup, I think, is that you don't have to trust  
the keyserver;

Well I think you already do this or better said, the whole PKI does it.
It's just not yet secured.



An end-to-end approach is better, IMHO. (It also protects against the  
opposite side of the equation: is Mallory secretly stripping the  
revocation certificate out of your friend's uploads to the keyserver?  
Also, I don't want to have to make trust/policy decisions based on  
how much I trust the people running the keyserver, how strong my  
trust path is to their key, and so on. That way lies X.509...)  

Yeah but again,.. I think you're already doing this, otherwise you'd
have to retrieve all you key updates manually from the key owners (e.g.
every day or so). Even worse, you'd also have to retrieve updates by the
signers to the keys of your keyrings, and their signers and so on..


Notionally, I want some sort of periodic, signed communication from  
other keyholders, saying, "The official state of my key-and- 
subpackets is X. Expect another message before date Y".

But this is very difficult, as it's probably not enough to only get the
official state of the key of your direct contacts (see above)


However, not  
all of the subpackets are really important: if I'm missing a  
signature from someone else,

But what if this signature is part of the trust path?


 or an alternate user ID, I'm not going  
to trust you any *more* than if I have it. So this thing only needs  
to cover packets which reduce trust --- revocations, I guess. (Am I  
missing a scenario here?)

I think you miss the case of keys, that you didn't sign yourself, but
have some indirect trust path to it.



But is this actually any different from periodically renewing a set  
of expiring signatures? (I don't think so, but I could easily be  
missing stuff.) In which case, OpenPGP already supplies everything  
needed to prevent this sort of denial-of-key-distribution attack.

How?



Of course I think securing the keyserver communication is *also*  
good, as long as the trust model doesn't depend on it. :)

I think it actually DOES depend on it. Even if you'd completely forget
keyservers and imagine that you directly exchange the keys with your
direct contacts (I mean that official most recent state of the key), you
could "loose" their revocation certs when an attacker strips them of.
So even in that case, your direct contact would have to sign the whole
key as if it would be casual data.


Or am I wrong?


Best wishes,
-- 
Christoph Anton Mitterer
Ludwig-Maximilians-Universität München

christoph(_dot_)anton(_dot_)mitterer(_at_)physik(_dot_)uni-muenchen(_dot_)de
mail(_at_)christoph(_dot_)anton(_dot_)mitterer(_dot_)name

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  "Roles" for subkeys?!, Christoph Anton Mitterer
Next by Thread:  Re: Do we need to secure our keyservers against kind of DoS Attacks, Daniel Kahn Gillmor
Indexes:  [Date] [Thread] [Top] [All Lists]