On Sun, 2014-03-23 at 16:08 -0400, Jonathan Wilkes wrote: > Hi list, > If I were so inclined couldn't I periodically query every publicly > accessable PGP keyserver (maybe do it in a distributed manner) and > upload a new key with the same name/email address as what was added > since the last time I checked? > > Furthermore, couldn't I periodically query every publicly accessible PGP > keyserver (maybe do it in a distributed manner) to see who signed what, > and then mirror that web of trust with the keys I control? > > Furthermore, couldn't I also upload keys with same name/email addresses > for any keys that existed before I started, lie about the creation date, > and work those into my hall of mirrors?
Yes. Which is why a web of trust that isn't grounded is more or less useless, and GnuPG, in its default configuration, will only accept a key as valid if there is a path of signatures to it from your own key. The keyservers are very useful for fetching keys for which you already know the fingerprint. Fetching keys just based on a name or an email address is not secure in the face of attacks like the one you just described. --ll -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.