multiple copies of the self-signature on the key

Janusz A. Urbanowicz alex at bofh.net.pl
Fri Jun 16 15:01:20 CEST 2006


On Fri, Jun 16, 2006 at 08:11:18AM -0400, David Shaw wrote:
> > > Without crypto support, how is the keyserver to know that the nice new
> > > signature with a later timestamp is in fact a real signature and not
> > > garbage?  It would be a perfect denial-of-service attack to upload
> > > bogus selfsignatures and then sit back and watch the keyserver erase
> > > parts of the key.
> > > 
> > > GPG can do this because it can actually verify the signatures and
> > > check.  Keyservers are just storage and cannot verify.
> > 
> > So, why GPG doesn't do this on import? AFAIR PGP 2 did this automatically.
> 
> PGP 2 didn't store anything useful in the self-signature, so there
> were never more than one unless someone intentionally forced one to be
> there.
> 
> In any event, GPG can do this on import, but it is optional.  If you
> want it:
> 
>   keyserver-options import-clean

but this will clear all "unneeded stuff" from the keys imported and not only
from my key?

a



More information about the Gnupg-devel mailing list