|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2019-07-02 19:42:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
[$] OpenPGP certificate flooding
A problem with the way that OpenPGP
public-key certificates are handled by key servers and applications is
wreaking some havoc, but not just for those who own the certificates (and
keys)—anyone who has those keys on their keyring and does regular updates
will be affected. It is effectively a denial of service attack, but one
that propagates differently than most others. The mechanism of this
"certificate flooding" is one that is
normally used to add attestations to the key owner's identity (also known as
"signing
the key"), but because
of the way most key servers work, it can be used to fill a certificate with
"spam"—with far-reaching effects.
A problem with the way that OpenPGP
public-key certificates are handled by key servers and applications is
wreaking some havoc, but not just for those who own the certificates (and
keys)—anyone who has those keys on their keyring and does regular updates
will be affected. It is effectively a denial of service attack, but one
that propagates differently than most others. The mechanism of this
"certificate flooding" is one that is
normally used to add attestations to the key owner's identity (also known as
"signing
the key"), but because
of the way most key servers work, it can be used to fill a certificate with
"spam"—with far-reaching effects.
