Hello.

Am Donnerstag, den 10.01.2019, 16:23 +0100 schrieb Stefan Claas:

> > It's part of GNU philosophy to not implement unnecessary
> > hard limits in software but one good reason to impose limits
> > is to prevent denial of service conditions. 

> What i really don't get with this DoS stuff is when one uses with
> friends etc. the regular version of GnuPG / PGP and obtains the
> keys from friends, checks the fingerprint why should one worry?
> Sure, if i customize the source code I can do such stuff to other
> keys on SKS key servers, but then people can still ask their friends
> and say "hi there seems to be something wrong with your key, can you
> mail me please a copy".

DoS does not necessarily mean crashing the system. A "hanging" process
or a process that takes much more time as necessary is also a DoS.

Crashing a system is only the hardest variant.

And this prevents also prevents an unintended DoS which means a very
big key by mistake. It's okay to allow the generation of everything a
user wants, especially in open source software where everybody can
change the values. A hard limit would make no sense at all.


> Or are there cases when messages are in transient and can those
> be quickly modified, so that GnuPG crashes (your system)?

As said, it's not necessarily a crash, but GPOG takung two hours to
process a key which has gigabytes, just for example, could be
considered a DOS. ^^

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to