mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-30 03:22:06 +01:00
ch4: move certification flooding section to "advanced" part
This commit is contained in:
parent
451b881c03
commit
f35044bd68
1 changed files with 10 additions and 10 deletions
|
@ -247,16 +247,6 @@ This presupposes that Bob knows this person who goes by "Alice Adams", and is sa
|
||||||
|
|
||||||
For more on third-party certifications, see {ref}`third_party_cert`.
|
For more on third-party certifications, see {ref}`third_party_cert`.
|
||||||
|
|
||||||
### Security considerations
|
|
||||||
|
|
||||||
While a convenience for consumers, indiscriminately accepting and integrating third-party identity certifications comes with significant risks.
|
|
||||||
|
|
||||||
Without any restrictions in place, malicious entities can flood a certificate with excessive certifications. Called "certificate flooding," this form of digital vandalism grossly expands the certificate size, making the certificate cumbersome and impractical for users.
|
|
||||||
|
|
||||||
It also opens the door to potential denial-of-service attacks, rendering the certificate non-functional or significantly impeding its operation.
|
|
||||||
|
|
||||||
The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), causing it to shut down operations in 2019.
|
|
||||||
|
|
||||||
## Advanced topics
|
## Advanced topics
|
||||||
|
|
||||||
```{admonition} TODO
|
```{admonition} TODO
|
||||||
|
@ -323,3 +313,13 @@ references/links missing
|
||||||
```
|
```
|
||||||
|
|
||||||
Some OpenPGP subsystems may add User IDs to a certificate, which are not bound to the primary key by the certificate's owner. This can be useful to store local identity information (e.g., Sequoia's public store attaches "pet-names" to certificates, in this way).
|
Some OpenPGP subsystems may add User IDs to a certificate, which are not bound to the primary key by the certificate's owner. This can be useful to store local identity information (e.g., Sequoia's public store attaches "pet-names" to certificates, in this way).
|
||||||
|
|
||||||
|
### Third-party certification flooding
|
||||||
|
|
||||||
|
While a convenience for consumers, indiscriminately accepting and integrating third-party identity certifications comes with significant risks.
|
||||||
|
|
||||||
|
Without any restrictions in place, malicious entities can flood a certificate with excessive certifications. Called "certificate flooding," this form of digital vandalism grossly expands the certificate size, making the certificate cumbersome and impractical for users.
|
||||||
|
|
||||||
|
It also opens the door to potential denial-of-service attacks, rendering the certificate non-functional or significantly impeding its operation.
|
||||||
|
|
||||||
|
The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), causing it to shut down operations in 2019.
|
||||||
|
|
Loading…
Reference in a new issue