Re: [Sks-devel] About deleting keys

[Kristian Fiskerstrand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 10/29/2013 03:47 PM, Arnold wrote:
> On 10/29/2013 02:30 PM, Kristian Fiskerstrand wrote:
>> The discussion gets even more interesting when dealing with
>> revoked keys. If an attacker (with compromised secret key
>> material) is given the ability to deleting such a key from the
>> server network and re-uploading a non-revoked version; The
>> effective security of the whole system is compromised (or for
>> that matter mallicious key server operators doing the same).
>> 
>> There are good reasons for the servers being add-only by
>> design... and you'll find several discussions on this in the
>> past.
> 
> True, the SKS *network* should be add-only by design. However, this
> does not imply that each key server is required to _provide_ each
> and every key in its database or in the SKS network by means of a
> search.
> 
> If the SKS network (currently) can operate based on search by hash
> only (which I assume) and if no current practical use (other than
> test or debug) is hindered by hiding the hash from search results
> (disabling the option "hash=on"), then filtering search results by
> means of a list of key fingerprints seems feasible to me.
> 

I don't understand your point here, can you please elaborate? For
clients accessing the pool the results are simply a DNS round robin
and the client connects to a given SKS server. If there is
fragmentation in the network we'd have to split the servers (probably
exclude servers with deleted keys).

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Testis unus, testis nullus
A single witness is no witness
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.0-beta255 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSb8uGAAoJEAt/i2Dj7frjRxwP/j/xtYpyo551Px2/g4Pb5vHr
rcMbLhK/dmJDmxOHiAYMp5mJrOX1xJkQLMrFyTKxQdXCuV01loz3IWeiW4k/NUZ3
lEOnE+ofjZ7dTEdHQrdg4Ty/D2UZGeSJnFILhtN394irH9Yhs4Zd+dCB18pnPqWB
qajLM44RA2RCvvX0vwahZw2z8j82ccuIafwmi+CcgchKVCbMv1DCVHb9Gr6omtVQ
pHbFek+CcPvfscykYjdUbF9VSNBeRqIFOd5GgK9OzCEVfYs6C4aM2YDGsINeff2A
ZUw/oascaYsmpwGuB7gMmTq+BJJ4/lmPJvSZ1c9YDbEm3iKjeQo5A8SEt/BebENw
w4FRezZMZIrYvAUpCLOdnWMg3/KIofoioLoWkygG5AN0gY1YGTOmCReB0kYX5/jh
HJ3tebxiJgQ5Z5SAOXaWaFBsjOSx1HhP2/61DqrwaWT0zXB4HRHtZTgofh1OfXM6
Gr1FMgd0GJx2bbgEdQR9Ra5ahoJwakaW8oPzOvs16Lf27IapQ358usQbNZxJSBHn
A930m1NCBR7s9cmMincbGo+dwVGkF0sCXU3YbHbyvMylCdUtZP4A2hPnD051kzQS
0Q+Al6Z2z2+VWSW6D8+9oXldTB6y+ZypvcDtouR/WNiUWzAQWgNAKp+2AoII4OKW
WJM7ZopBFz5hglhGbAvS
=hF9R
-----END PGP SIGNATURE-----