The PGP (SKS) net server network is under attack, and it seems pretty damn bad. gist.github.com/rjhansen/67ab9…

Read the post obviously. But the TL;DR is that someone is spamming the keys of certain GnuPG contributors with huge numbers of extra signature attestations, and GnuPG can’t deal with it.

The problem seems basically unfixable, and oh god, of course the reason involves unmaintained academic code written in OCaml.

The attacker has targeted two active OpenPGP/GnuPG developers in particular: Robert Hansen and DKG. I hate that someone is doing this. But I also recognize why they’re doing it. And it kind of tears me up.

There’s been a debate in the crypto community about whether the OpenPGP infrastructure is worth carrying on or whether it should be thrown out and replaced. This attack is obviously a very powerful argument for the latter. But it’s also a crappy thing to do to people.

See DKG’s blog post linked from the bottom of the above post. I’d propose that making DKG think about walking away from the ecosystem is maybe part of the attacker’s goal. I hope he doesn’t.

Not, mind you, because I’m excited about the OpenPGP ecosystem continuing to exist. The fact that critical portions of the code are written in unmaintainable languages should make it obvious that’s a bad idea.

But this is just a crummy way for things to happen.

(But, they cry, GnuPG is needed for so much more than encryption. It’s also needed for signing critical packages. Maybe that’s not the greatest idea either.)