denial of service by flooding keyservers
currently, @monkeysphere-authentication update-users@ (and @monkeysphere update-known_hosts@) pulls new keys from the keyservers by looking for an explicit User ID match.
However, there is a FIXME in the code that indicates that it actually only pulls the first 5 keys with a full User ID match.
SKS (the dominant keyserver architecture today) appears to return keys in chronological order of creation, most-recently created first. This means that anyone could do a trivial denial-of-service attack against a given User ID by generating 5 keys with that matching User ID.
This is mitigated somewhat by the fact that the local keyring is itself stored, so a malicious key spoofer could not revoke already-existing access. But they could prevent access to accounts on new machines with this attack.
(from redmine: created on 2009-07-03, closed on 2013-07-11)