Blacklisting on UID?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Blacklisting on UID?

Thorsten Bro | openSUSE Heroes
Hi all,

I read this just yesterday and checked it on our instance - and
unfortunately - I found a lot of magnet URIs on our keyserver.

https://medium.com/@mdrahony/sks-keyservers-being-used-as-piracy-sites-59ce5144101f

This might be a copyright problem for organizations and companies
running SKS keyservers and I have an evaluation ongoing if openSUSE can
still provide an SKS keyserver if we face this issue.

Are there any plans for blacklisting or filtering specific GPG UIDs by
pattern in the sks server or database?

Cheers,

--

Thorsten Bro <[hidden email]>
- Member of openSUSE Heroes -

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisting on UID?

H Visage
Hi Thorsten,

 I believe the problem have been highlighted that the SKS keyservers are a very easily abused infrastructure with things like the photos etc.
not to mention big keys that caused other denial of service type attacks on the server infrastructure.

 The question perhaps, is:
 How critical is this SKS type infrastructure for whom?

 It’s not DNS nor BGP type critical for the internet, so who do feels this is critical? 
And if it is critical for somebody, those somebodies might need to put up their hands and start to perhaps rethink the keys, the infrastructure, 
consider what have been learned recently etc. and then we might have a way to go forward in a bit more “protected way.

Just these few months I’ve been “involved”, I noticed the following:

- the keys might need to be formally specified -> how do you chec that is acually a proper key??
-  size and format of userID etc.
- images might need to be dropped.
- filters for EU/etc. privacy specifications??

So yes, things like the magnet URIs might just be getting more prolific until we might need to be forced to shutdown ;( 

On 29 Aug 2018, at 18:52 , Thorsten Bro | openSUSE Heroes <[hidden email]> wrote:

Hi all,

I read this just yesterday and checked it on our instance - and
unfortunately - I found a lot of magnet URIs on our keyserver.

https://medium.com/@mdrahony/sks-keyservers-being-used-as-piracy-sites-59ce5144101f

This might be a copyright problem for organizations and companies
running SKS keyservers and I have an evaluation ongoing if openSUSE can
still provide an SKS keyserver if we face this issue.

Are there any plans for blacklisting or filtering specific GPG UIDs by
pattern in the sks server or database?

Cheers,

--

Thorsten Bro <[hidden email]>
- Member of openSUSE Heroes -

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

---
Hendrik Visage
HeViS.Co Systems Pty Ltd
T/A Envisage Systems / Envisage Cloud Solutions
+27-84-612-5345 or +27-21-945-1192
[hidden email]




_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisting on UID?

Andrew Gallagher
In reply to this post by Thorsten Bro | openSUSE Heroes

> On 29 Aug 2018, at 17:52, Thorsten Bro | openSUSE Heroes <[hidden email]> wrote:
>
> Are there any plans for blacklisting or filtering specific GPG UIDs by
> pattern in the sks server or database?

I think filtering out UIDs by bad-pattern is a fool’s errand. Anyone can put anything they want in the real name field of an email UID, encoded using almost any scheme that they like, and it would be indistinguishable from a legitimate use case. And I would be wary of filtering in by good-pattern, as this could prevent the development of new use cases (e.g. monkeysphere).

If we are worried about arbitrary plain text in UIDs then the only safe thing to do is stop storing UIDs altogether. But it is far from clear that merely propagating a link is problematic enough to justify the wholesale abandonment of UIDs.

A

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel