Ángel wrote: > On 2019-07-02 at 12:24 +0200, Werner Koch via Gnupg-users wrote: > > > My opinion: make "keyserver-options import-clean" the default and > > make it internally never import any unknown signatures. > > > > Sorry, this is a catch-22. We need the key to verify the signature. > > I don't think so. You can have the signing key in the keyring, even if > that one was imported with only its own self-sigs. > > Ultimately, I think the signatures should only be imported when they are > cross-signed by the key owner. > > This would require a migration step were people signed the signatures > they already have on their key, but would otherwise allow them to keep > their 'precious signatures' they already have. > > Then there should probably be a new command that would have to be used > to import the new signatures to your key that you are sent. > > It won't fix the problem of a malicious keys being made with thousands > of fake signatures, but it pretty much solves the spamming problem by > only putting the owner in charge of accepting the signatures that can go > on his key. > > Cheers
Apologies in advance if this is a stupid comment (I don't know about gpg's implementation or the precise reason why keys with many signatures is a problem but I have read RJH's article). It sounds like SKS servers can handle these poisoned keys but GPG can't. That suggests that maybe GPG's keyring handling code could be changed so that poisoned keys no longer constitute a DoS. For example, if the problem is overuse of resources such as memory, could the keyring handling code be rewritten to use fewer resources? e.g. treat the keyring like a database where not all of it can fit in memory at the same time. If that were possible, these other changes wouldn't be needed. But perhaps it already does that and it's not enough. On the other hand, if the problem is that GPG is validating all of those signatures when importing a key, perhaps there could be a limit to how many signatures GPG will verify. Does it really have to verify every single one? Limiting the number that will be verified (or the amount of time spent verifying them) might prevent this situation becoming a DoS while still giving confidence that the key being imported has been signed by at least some members of your WoT. Again, apologies if I'm completely misunderstanding the issue. Perhaps the problem isn't limited to importing. I'm just thinking that being able to cope with garbage is more robust than trying to come up with ways to avoid garbage especially when you know that garbage happens. cheers, raf _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users