On Thu, 4 Jul 2019 11:11:51 +1200, Peter Reutemann quoted:
'A new wave of spamming attacks on a core component of PGP's ecosystem has highlighted a fundamental weakness in the whole ecosystem.'
Here <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f> is a blog post on GitHub (!) giving more details, for those who are interested. The potential for such an attack has been known for about a decade. It is currently targeting just two specific people, for unknown reasons. But it could easily be done against anybody else who has published a PGP key. Basically, the attack is taking advantage of a fundamental design feature of the current keyserver system: it’s not a bug, it’s a deliberate feature that once an attestation has been attached to somebody’s key, it can never be removed.