Hello. Am Donnerstag, den 10.01.2019, 16:23 +0100 schrieb Stefan Claas:
> > It's part of GNU philosophy to not implement unnecessary > > hard limits in software but one good reason to impose limits > > is to prevent denial of service conditions. > What i really don't get with this DoS stuff is when one uses with > friends etc. the regular version of GnuPG / PGP and obtains the > keys from friends, checks the fingerprint why should one worry? > Sure, if i customize the source code I can do such stuff to other > keys on SKS key servers, but then people can still ask their friends > and say "hi there seems to be something wrong with your key, can you > mail me please a copy". DoS does not necessarily mean crashing the system. A "hanging" process or a process that takes much more time as necessary is also a DoS. Crashing a system is only the hardest variant. And this prevents also prevents an unintended DoS which means a very big key by mistake. It's okay to allow the generation of everything a user wants, especially in open source software where everybody can change the values. A hard limit would make no sense at all. > Or are there cases when messages are in transient and can those > be quickly modified, so that GnuPG crashes (your system)? As said, it's not necessarily a crash, but GPOG takung two hours to process a key which has gigabytes, just for example, could be considered a DOS. ^^ Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
