A number of certificates associated with the Tor project have also been flooded. The Tor network is used for anonymously accessing sites on the Web.
Hansen, who has been part of the OpenPGP community for the last 27 years, warned it could get worse. "This attack cannot be mitigated by the SKS keyserver network in any reasonable time period," he said in a post on GitHub.
"It is unlikely to be mitigated by the OpenPGP Working Group in any reasonable time period. Future releases of OpenPGP software will likely have some sort of mitigation, but there is no time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network."
The certificate spamming attack took place last week and exploited a defect in the OpenPGP protocol to poison the two developers' certificates.
In a note on GitHub, Hansen said anyone who tried to import a poisoned certificate into a vulnerable OpenPGP installation would break their installation in ways that would be very hard to debug.
"Poisoned certificates are already on the SKS keyserver network," he said. "There is no reason to believe the attacker will stop at just poisoning two certificates.
"Further, given the ease of the attack and the highly publicised success of the attack, it is prudent to believe other certificates will soon be poisoned."
One of the common implementations of OpenPGP is the GnuPG package which is used on all Linux distributions. "The number one use of OpenPGP today is to verify downloaded packages for Linux-based operating systems, usually using a software tool called GnuPG," Hansen said.
"If someone were to poison a vendor's public certificate and upload it to the keyserver network, the next time a system administrator refreshed their keyring from the keyserver network the vendor's now-poisoned certificate would be downloaded.
"At that point upgrades become impossible because the authenticity of downloaded packages cannot be verified. Even downloading the vendor's certificate and re-importing it would be of no use, because GnuPG would choke trying to import the new certificate. It is not hard to imagine how motivated adversaries could employ this against a Linux-based computer network."
Hansen advised the following as a short-term mitigation:
"Users who are confident editing their GnuPG configuration files should follow the following process," he said
"Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
"Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it."
He said if one knew of a particular certificate that was poisoned, one could try to delete it. "This normally goes pretty quickly. If your OpenPGP installation becomes usable again, congratulations. Acquire a new unpoisoned copy of the certificate and import that.
"If you don't know which certificate is poisoned, your best bet is to get a list of all your certificate IDs, delete your keyrings completely, and rebuild from scratch using known-good copies of the public certificates."