Re: [Sks-devel] Proposal: Start verifying self-signatures

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Proposal: Start verifying self-signatures

From:	Alain Wolf
Subject:	Re: [Sks-devel] Proposal: Start verifying self-signatures
Date:	Sun, 17 May 2015 23:54:53 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



Am 17.05.2015 um 23:29 schrieb Daniel Roesler:
> On May 17, 2015, Kristian Fiskerstrand wrote:
>>> 2. Prevents denial of service attacks that allows Mallory to
>>> spam a bunch of new subkeys, user ids, or huge images onto a
>>> public key.
> 
>> Please elaborate on how this is a DoS, I can see it being
>> un-appealing, but for it to qualify as a DoS the bar is higher
>> than that.
> 
> A User Attribute subpacket can be up to 256^4 bytes long[1],
> which means that a someone can upload a 4.2 GB jpeg onto your
> public key and then when gpg --recv-key tries to retreive your
> public key, it will have download a huge, overbloated file that
> you did not add yourself.
> 

If you have Nginx in front of your SKS, uploads are limited to 1 MB by
default or 8 MB if you follow Matt Rudes installation guide.

SKS itself seems to have a hard-coded 5 MB limit (wserver.ml line 174).


-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJVWQ4tXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTEwNjBDN0RBNDY3QzM3OTVCQkREMUJG
MDhEOUJERDEzMDg2MTEzAAoJEPCNm90TCGET6h8H/RMY6jl5vWJCmxCvAml2Hsqr
e2FCBc0Jq+yU1tU2sHIc7xQ9yGwwAbnnZnu6Oz/sx5gzyG1ZaRDfGu3TV7I2e11V
uyW3tGUmE17RPegGPDJxzqfuiUinQUJqEaMV5pns1vAb5w3d26q2rLtjZ0DPWbVG
Azr41g5QllkMGzBpjyhSX8U4ZCW984P1R1gsMfVi7/Hgn06a8ipjkStPLUSBwYCi
OXzMk8LBCWcKXc06kDv98nEaWR6QldF3fssDVDNjommAf1HJy8PUlequeLb9UpVm
DJzlcSSc8iQcUMsI4uE/rldnfc9MjGCbrz7/vjqkTpTaeIcbkDX+sSzhSh07oas=
=/V0S
-----END PGP SIGNATURE-----

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] Proposal: Start verifying self-signatures, Daniel Roesler, 2015/05/17
- Re: [Sks-devel] Proposal: Start verifying self-signatures, Kristian Fiskerstrand, 2015/05/17
  - Re: [Sks-devel] Proposal: Start verifying self-signatures, Daniel Roesler, 2015/05/17
  - Re: [Sks-devel] Proposal: Start verifying self-signatures, Daniel Roesler, 2015/05/17
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Alain Wolf <=
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Daniel Roesler, 2015/05/17
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Robert J. Hansen, 2015/05/17
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Arnold, 2015/05/18
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Gabor Kiss, 2015/05/18
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Daniel Roesler, 2015/05/18
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Johan van Selst, 2015/05/18
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Arnold, 2015/05/18
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Johan van Selst, 2015/05/18
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Robert J. Hansen, 2015/05/18
    - Re: [Sks-devel] Proposal: Start verifying self-signatures, Daniel Roesler, 2015/05/18

Prev by Date: Re: [Sks-devel] Proposal: Start verifying self-signatures
Next by Date: Re: [Sks-devel] HKP and HSTS
Previous by thread: Re: [Sks-devel] Proposal: Start verifying self-signatures
Next by thread: Re: [Sks-devel] Proposal: Start verifying self-signatures
Index(es):
- Date
- Thread