Re: [Sks-devel] Displaying user images on index page

[Daniel Johnson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Feb 25, 2004 at 02:25:00PM +0100, Thomas Sjögren wrote:
> I think the usage of key servers as a gallery or dump spot for
> unappropriate images isnt such a big issue, kind of the discussion
> of spammers using key server for harvesting email adressess.
> Besides that, images are accepted in public keys as a means of
> identification and is in the standard so is see no point of not
> displaying them.

It isn't an issue because they haven't done it yet.  For the moment,
we have no standard scalable way to delete keys from servers and
prevent them from being re-imported.  There isn't a good way to tell
the servers "don't display 0xfoo".  The keyservers are not rigorously
verifying the integrity of keys as they come in (for resource and
legal reasons), and the standard allows (in at least one place,
PhotoIDs) large quantities of unchecked data to be appended.

As I see it, we have a gaping hole here.  Just as e-mail was never
intended for file transfer, OpenPGP keys (and servers) were never
intended to handle non-key data.  Photo packets appear to be one of
those "cool, look what we can do!" things.  Sure, I see reasonable
uses for them.  I'd have one myself if I was sure it wouldn't break
compatibility somewhere and balloon my keysize.  But just like
realizing that Base-64 encoded files can pass through e-mail servers,
we've realized that most any properly formatted file can be attached
to a key.

All it takes is someone sufficiently malicious, intelligent,
talented, and interested to hear about this and make a truly
anonymous file distribution system.  After all, they don't have to
provide the storage space.  The uploads can't be taken off the
servers.  Each server will replicate the "key" to the rest within a
day or so.  If the server operators don't notice this and start
checking logs, it becomes truly anonymous.

I think that making the keyservers advertise photo capability in the
HTML, or worse yet show the pictures, will just increase the chance
that some freak will take notice before we have a suitable defense in
place.  Not to mention using more resources if we have to trim/scale
the JPG first...

If you think about it, this is also a perfect way to DOS the entire
network.  Generate bogus keys with large packets that are just "good
enough" to be accepted and propagated.  Upload them to key servers
all over the world.  Watch the servers drives and CPUs struggle with
hundreds of megs of updates a day.  Watch their pipes fill with the
useless key data.  I'd probably have to shut both of mine down if
that happened.

Implementing a don't-show blacklist may be a good first step, but it
doesn't solve the replication and space usage problem.  Some kind of
distributed don't-even-accept-and-delete-if-you-have blacklist seems
like the best answer, but implementing it could fragment the network
and, as Yaron pointed out, greatly complicate the existing
replication protocol.  What do you do if one of your peers doesn't
support the list for some reason?  Do we make SKS return "yes I have
X" whenever servers are comparing key lists and then fail if asked to
retrieve it?

Just my $0.02.

- --
Through the modem, off the server, over the T1, past the frame-relay,
< < NOTHIN' BUT NET > >

Daniel Johnson
address@hidden
http://dannyj.come.to/
Public PGP Keys & other info: http://dannyj.come.to/pgp/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32) - GPGshell v2.95

iD8DBQFAPVYu6vGcUBY+ge8RAjkFAKCmjf5iAv70t4xa13cWp/80YoniswCfTF8t
xaDm9/2z2WYI8PACPMCml50=
=DmVy
-----END PGP SIGNATURE-----