[liberationtech] PGP WOT
Lars Luthman
mail at larsluthman.net
Sun Mar 23 13:28:19 PDT 2014
On Sun, 2014-03-23 at 16:08 -0400, Jonathan Wilkes wrote:
> Hi list,
> If I were so inclined couldn't I periodically query every publicly
> accessable PGP keyserver (maybe do it in a distributed manner) and
> upload a new key with the same name/email address as what was added
> since the last time I checked?
>
> Furthermore, couldn't I periodically query every publicly accessible PGP
> keyserver (maybe do it in a distributed manner) to see who signed what,
> and then mirror that web of trust with the keys I control?
>
> Furthermore, couldn't I also upload keys with same name/email addresses
> for any keys that existed before I started, lie about the creation date,
> and work those into my hall of mirrors?
Yes. Which is why a web of trust that isn't grounded is more or less
useless, and GnuPG, in its default configuration, will only accept a key
as valid if there is a path of signatures to it from your own key.
The keyservers are very useful for fetching keys for which you already
know the fingerprint. Fetching keys just based on a name or an email
address is not secure in the face of attacks like the one you just
described.
--ll
More information about the liberationtech
mailing list