sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] SKS apocalypse mitigation

From: Michael Jones
Subject: Re: [Sks-devel] SKS apocalypse mitigation
Date: Mon, 26 Mar 2018 00:39:50 +0100

What if the approach was to either have a web of trust to whitelist users able to upload images, or even more stringent strip all image data.

Is image data essential to operating?

I hardly ever look at the images, and these images could be shared via other means.

The keyservers would continue to operate with keys and revocation keys but no image data?

From memory the image can be removed from any key locally, so there is no reason that on submission it could not be removed.

Doesn't solve all the issues, but would prevent malicious use of our servers in a direct manor.


On 25 Mar 2018 8:12 p.m., "brent s." <address@hidden> wrote:
On 03/25/2018 07:39 AM, Andrew Gallagher wrote:
>
>> On 25 Mar 2018, at 03:37, Phil Pennock <address@hidden> wrote:
>>
>> Disappearance of
>> public keyservers would be a major inconvenience, but not a disaster.
>
> Considering that keyservers are currently the only resilient way to distribute key revocations, I’m not sure I would be so sanguine. If I’m hosting my key exclusively on WKD or some other web based service, it would be easy to prevent key revocations from being distributed. Granted, revocation is imperfect at the best of times. But SKS is the best tool we have at the moment, and the ecosystem would be severely damaged without it.
>
> A
>


I strongly and vehemently agree with both sides.


On a more serious note (albeit somewhat off-topic), and admittedly much
less deplorable a consideration - has the topic of copyrighted material
being distributed in keys (notably in the image data) come up at any point?

I suggest the same mechanism used in this approach should also be
applicable to those instances as well. Under DMCA in the US, keyserver
operators would be liable for this data (as we would be "distributing"
it) and responsible for its removal for compliance. I presume many other
countries have similar copyright laws/stipulations as well.




(Ironically, many if not all of agents for intellectual property
reclamation have PGP keys themselves on our servers, as one of the
stipulations for a DMCA's validity per § 512(c)(3)(A) (found here[0]) is
"A[n] ... electronic signature of a person authorized to act on behalf
of the owner of an exclusive right that is allegedly infringed.")


[0] https://www.law.cornell.edu/uscode/text/17/512

--
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info


_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel


reply via email to
[Prev in Thread] Current Thread [Next in Thread]