Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6489

Re: Keyserver for gpg.conf ?

Show all headers | View raw

On Mon, Nov 17, 2025 at 10:27 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
>
> On 2025-11-16 02:57:02 +0000 (+0000), debianmailinglists.hz5zm@simplelogin.com wrote:
> > Do these other keyring servers leave the key intact? I stopped
> > using the key servers for my small personal projects and just have
> > my public key posted on my personal website because one of them (
> > keys.openpgp.org I think ) lists my public key, but it seems to
> > have stripped all the identifying information from it so it can't
> > be searched for by email address and even if you download the copy
> > they have apps like Kleopatra fail to import it, and when
> > comparing it to my copy of the public key I manually exported the
> > contents are MUCH shorter on their copy.
> [...]
>
> The main reason for this, as I understand it, is to avoid the
> vulnerabilities which led to the fall of the SKS keyserver network.
> In short, the traditional keyserver model of allowing anyone to
> upload third-party signatures for keys they didn't control led
> eventually to vandals and other malicious persons uploading unwanted
> signatures with objectionable content or in volumes which overflowed
> the ability of clients and servers to deal with them (denial of
> service on the network and also on specific keys making them
> irretrievable). They did this in the most severe way possible,
> essentially filtering out all third-party signatures and even
> self-signatures and UIDs if the uploader can't prove control of the
> E-mail addresses associated with them (which implicitly means
> discarding non-E-mail identities too such as photo images).
>
> Discussions I followed some time ago indicated they were willing to
> accept updates that enabled a caff-style approval process for
> third-party signatures at least, but it sounded like the existing
> team didn't have the resources to develop such a feature and that it
> would require additional volunteers working on that.

And to add some reading material, see
<https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html>.
Daniel Kahn Gillmor (dkg) was one of the folks who was targeted in the
attack.

Jeff

Back to linux.debian.security | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

Keyserver for gpg.conf ? Francesco Poli <invernomuto@paranoici.org> - 2025-11-15 10:40 +0100
  Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-15 19:10 +0100
    Re: Keyserver for gpg.conf ? Holger Levsen <holger@layer-acht.org> - 2025-11-15 21:50 +0100
      Re: Keyserver for gpg.conf ? debianmailinglists.hz5zm@simplelogin.com - 2025-11-16 04:10 +0100
        Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-16 17:10 +0100
        Re: Keyserver for gpg.conf ? Jeremy Stanley <fungi@yuggoth.org> - 2025-11-17 16:30 +0100
          Re: Keyserver for gpg.conf ? Jeffrey Walton <noloader@gmail.com> - 2025-11-17 16:40 +0100
      Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-16 17:10 +0100
    Re: Keyserver for gpg.conf ? Francesco Poli <invernomuto@paranoici.org> - 2025-11-16 13:40 +0100
      Re: Keyserver for gpg.conf ? Gunnar Wolf <gwolf@debian.org> - 2025-11-16 17:10 +0100
  Re: Keyserver for gpg.conf ? Jeffrey Walton <noloader@gmail.com> - 2025-11-17 17:00 +0100
    Re: Keyserver for gpg.conf ? Francesco Poli <invernomuto@paranoici.org> - 2025-11-17 18:40 +0100
      Re: Keyserver for gpg.conf ? Jeremy Stanley <fungi@yuggoth.org> - 2025-11-17 18:50 +0100
      Re: Keyserver for gpg.conf ? debianmailinglists.hz5zm@simplelogin.com - 2025-11-18 01:50 +0100

csiph-web