mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-30 03:22:06 +01:00
ch4: move certification flooding section to "advanced" part
This commit is contained in:
parent
451b881c03
commit
f35044bd68
1 changed files with 10 additions and 10 deletions
|
@ -247,16 +247,6 @@ This presupposes that Bob knows this person who goes by "Alice Adams", and is sa
|
|||
|
||||
For more on third-party certifications, see {ref}`third_party_cert`.
|
||||
|
||||
### Security considerations
|
||||
|
||||
While a convenience for consumers, indiscriminately accepting and integrating third-party identity certifications comes with significant risks.
|
||||
|
||||
Without any restrictions in place, malicious entities can flood a certificate with excessive certifications. Called "certificate flooding," this form of digital vandalism grossly expands the certificate size, making the certificate cumbersome and impractical for users.
|
||||
|
||||
It also opens the door to potential denial-of-service attacks, rendering the certificate non-functional or significantly impeding its operation.
|
||||
|
||||
The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), causing it to shut down operations in 2019.
|
||||
|
||||
## Advanced topics
|
||||
|
||||
```{admonition} TODO
|
||||
|
@ -323,3 +313,13 @@ references/links missing
|
|||
```
|
||||
|
||||
Some OpenPGP subsystems may add User IDs to a certificate, which are not bound to the primary key by the certificate's owner. This can be useful to store local identity information (e.g., Sequoia's public store attaches "pet-names" to certificates, in this way).
|
||||
|
||||
### Third-party certification flooding
|
||||
|
||||
While a convenience for consumers, indiscriminately accepting and integrating third-party identity certifications comes with significant risks.
|
||||
|
||||
Without any restrictions in place, malicious entities can flood a certificate with excessive certifications. Called "certificate flooding," this form of digital vandalism grossly expands the certificate size, making the certificate cumbersome and impractical for users.
|
||||
|
||||
It also opens the door to potential denial-of-service attacks, rendering the certificate non-functional or significantly impeding its operation.
|
||||
|
||||
The popular [SKS keyserver network experienced certificate flooding firsthand](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), causing it to shut down operations in 2019.
|
||||
|
|
Loading…
Reference in a new issue