[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pgp-keyserver-folk
Subject:    [Pgp-keyserver-folk] Eye on the prize, and all that
From:       David Shaw <dshaw () jabberwocky ! com>
Date:       2002-08-22 22:42:14
[Download RAW message or body]

There is an unfortunate tendency on mailing lists for a discussion to
spin out of control and go very far away from the original point, and
I'm just as liable as anyone to contribute to that.

Here are my original points:

1) The current self-sig behavior in pksd is broken, and allowing for a
   denial of service.

2) It needs to be fixed, hopefully before it gets widely exploited.

3) One way to fix it is to not throw away signatures under any
   circumstances.

Now, I do not deny there are other possible fixes, but this is the
simplest, and even at worst, is good enough to keep trouble at bay
until we have a different/better solution.  Jason Harris is currently
doing a lot of code work on pksd and is familiar with it.  If he
doesn't have the time or inclination, who else is familiar with the
code and is willing to take this on?  I'm very familiar with OpenPGP
in general (obviously), but not pksd in particular.  If need be, I can
become familiar.

Many people on this list and others know how to DoS keys on a pksd
keyserver.  Maybe it won't get exploited.  After all, this problem has
existed for a long time, and many people know about it.  However, it
has gotten a lot of attention now, and how long before someone wants
to see their name in lights and sends an exploit to bugtraq?

I'm more than happy to debate the most ideal solution, and what
possible changes could be made in the future with crypto-savvy
keyservers, and these discussions are useful and valid... but talk is
cheap.  While we discuss tomorrow, let's not ignore the problem of
today.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson
[prev in list] [next in list] [prev in thread] [next in thread]