[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Another Poison Key?

From: DevPGSV Pablo
Subject: Re: [Sks-devel] Another Poison Key?
Date: Tue, 22 Jan 2019 16:43:58 +0100


Yeah, I know that is not a solution. 
Looking at the code, it seems "reasonable" to add keys to the blacklist... so I guess I will check everyday for problematic keys, and if I find any I will be able to ban them from my SKS server (and I will notify the list with the keys, as I guess I won't be the only one with the problem).

Thanks again!

El mar., 22 ene. 2019 a las 12:23, Yegor Timoshenko (<address@hidden>) escribió:
Ok, so that was created with my program:

Relevant issue:

> I know it is not a solution, but... is there any way to
> blacklist keys? If there was a way, at least I could blacklist
> manually these attacks, even if I have to check every day.

Sure, here is an updated patch that blacklists this key, as well
as the older poison key:
(based off patch by Shengjing Zhu)

There are several problems with this approach:

1. Future updates for the key will be denied, including
legitimate ones by key holder (FreePBX team). 2. DoS is still
possible just by accessing/fetching the key. To fix that, you'll
have to remove the DoS packets (large user packets with random
gibberish, not valid per OpenPGP packet spec, does not validate
cryptographically) or the whole key. 3. Anyone can create another
poison key at any time and there's no way to fix that without
breaking compat, it's a fundamental flaw :-(

reply via email to

[Prev in Thread] Current Thread [Next in Thread]