Re: Keyserver for gpg.conf ?

To: debian-security@lists.debian.org
Subject: Re: Keyserver for gpg.conf ?
From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, 17 Nov 2025 10:32:00 -0500
Message-id: <[🔎] CAH8yC8nCA2BEi0z4c5QLOA4fQ1vbHgpzby8KngNG-9fMYZvVSg@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <[🔎] aRs5nXfXuBkgXD42@yuggoth.org>
References: <[🔎] 20251115103427.4fc727b3c8f9d3cb2e2fd642@paranoici.org> <[🔎] aRjAsl94EvWoZvKV@iiec.unam.mx> <[🔎] aRjlDgZGEU7Qr26t@layer-acht.org> <[🔎] 176326183159.7.10109959858701937182.1009052101@simplelogin.com> <[🔎] aRs5nXfXuBkgXD42@yuggoth.org>

On Mon, Nov 17, 2025 at 10:27 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
>
> On 2025-11-16 02:57:02 +0000 (+0000), debianmailinglists.hz5zm@simplelogin.com wrote:
> > Do these other keyring servers leave the key intact? I stopped
> > using the key servers for my small personal projects and just have
> > my public key posted on my personal website because one of them (
> > keys.openpgp.org I think ) lists my public key, but it seems to
> > have stripped all the identifying information from it so it can't
> > be searched for by email address and even if you download the copy
> > they have apps like Kleopatra fail to import it, and when
> > comparing it to my copy of the public key I manually exported the
> > contents are MUCH shorter on their copy.
> [...]
>
> The main reason for this, as I understand it, is to avoid the
> vulnerabilities which led to the fall of the SKS keyserver network.
> In short, the traditional keyserver model of allowing anyone to
> upload third-party signatures for keys they didn't control led
> eventually to vandals and other malicious persons uploading unwanted
> signatures with objectionable content or in volumes which overflowed
> the ability of clients and servers to deal with them (denial of
> service on the network and also on specific keys making them
> irretrievable). They did this in the most severe way possible,
> essentially filtering out all third-party signatures and even
> self-signatures and UIDs if the uploader can't prove control of the
> E-mail addresses associated with them (which implicitly means
> discarding non-E-mail identities too such as photo images).
>
> Discussions I followed some time ago indicated they were willing to
> accept updates that enabled a caff-style approval process for
> third-party signatures at least, but it sounded like the existing
> team didn't have the resources to develop such a feature and that it
> would require additional volunteers working on that.

And to add some reading material, see
<https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html>.
Daniel Kahn Gillmor (dkg) was one of the folks who was targeted in the
attack.

Jeff

Reply to:

References:
- Keyserver for gpg.conf ?
  - From: Francesco Poli <invernomuto@paranoici.org>
- Re: Keyserver for gpg.conf ?
  - From: Gunnar Wolf <gwolf@debian.org>
- Re: Keyserver for gpg.conf ?
  - From: Holger Levsen <holger@layer-acht.org>
- Re: Keyserver for gpg.conf ?
  - From: debianmailinglists.hz5zm@simplelogin.com
- Re: Keyserver for gpg.conf ?
  - From: Jeremy Stanley <fungi@yuggoth.org>

Prev by Date: Re: Keyserver for gpg.conf ?
Next by Date: Re: Keyserver for gpg.conf ?
Previous by thread: Re: Keyserver for gpg.conf ?
Next by thread: Re: Keyserver for gpg.conf ?
Index(es):
- Date
- Thread