Re: [Sks-devel] "quality" of keyservers offering hkps

[Kristian Fiskerstrand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 08/14/2014 04:04 PM, Pete Stephenson wrote:
> On 8/14/2014 2:23 PM, Kristian Fiskerstrand wrote:
>> On 08/14/2014 02:12 PM, Christoph Egger wrote:
>>> "Kiss Gabor (Bitman)" <address@hidden> writes:
>>>>> - mitm attacks  may manipulate up-/downloaded keys
>>>> 
>>>> no
>>>> 
>>>> Every uploaded key can be manipulated legally by anyone. 
>>>> (I.e. you attach a new signature to your friend's key and
>>>> you send back to the key servers.) Moreover anybody can send
>>>> a totally new key in the name of you. Public key server is
>>>> like Wikipedia or a piece of paper. And everybody has a
>>>> pencil. :-)
>> 
>>> You can still block certain pakets from up/downloads (i.e. not 
>>> providing signature pakets for some key -- kind of a DoS when 
>>> checking a trust path)
>> 
>> Or even more importantly, providing a public key where a 
>> revocation signature has been removed.
> 
> Is this possible?

Certainly

> 
> My (albeit limited) understanding is that SKS is an append-only 
> system, and that it is not possible to remove key packets that are 
> already on the servers.
> 
> Wouldn't a bad guy: a. Need the private key to edit self-signed 
> elements, like revocation signatures?

No, you can drop the full signature or just use a copy of the key from
before reovcation was appended.

> b. Be unable to remove the revocation signature, as SKS servers are
> append-only?
> 

Not in a MITM scenario where you don't really talk with SKS in the
first place, hence a very good reason for HKPS in the first place.


- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Timendi causa est nescire
The cause of fear is ignorance
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJT7MJPAAoJEPw7F94F4TagfUgP/jCCNLaGvdk+OUk9x6P9rCXL
HF3S69oKshq2ptalsyUI+3yEOvRuM40q7Syd0i7r9kl3irrPAmKXOfIt+JAaLTbS
yYYaUiMJXyUctifdj0vLAj48Us/6GET7jOeuflD/9lB8MFR+iIKbdj/wIJEkbfXd
+PFAdozfE8kJ6ziGnXDZ6xp1TPDPKiOZ/FVpKyKZ9CJj+KqYHHPFKgt5L5ynEVcj
5vFdtdI2jTkYQ2vDX6GsM1ukhxnyhtxLDPf2L4LcZFgK/o6/ioLq/Qss2KDyC99Q
BF+jiRtRFCJ4exnaEKPzzDW/rdINX5NTUoM+OXZPVi1wP0x54TLPqKL1aso8jwHN
y1dSgmyVbS0SXfQAM88ZWO6vmgBEPdchNezb9Fqsvs7n9k9X7/RwpeezJomPXHrB
58ZzD2g8+iJluof6SWiKtH4lNMoagPoSWzlsNNvod4hzt9aDWdl3GVl0kPxqXTXw
MUB0iZSVgLaGYLX7rgj8cNyKx+odMfEw/H0v1zaUUplshGQZ/HQwRkl+qqR1hXr/
9+zWAlZm/KnQEy5Zq3USZqYRARK0dJk9RbnjnJu3C46UJ4J7hfRB7u6tKEXSPtuY
MGoVkGLms16bxTsfaoEkNgUrvMaI/TL625DWJdknBgtLFg2uT32vNQMFBmFV8Ztb
Ux3SsCGuYLmp2qrKCF5v
=+ktI
-----END PGP SIGNATURE-----