Global Directory signatures (was Re: GPG wants to check trustdb every day)

Jason Harris jharris at widomaker.com
Fri Jan 7 01:27:11 CET 2005


On Mon, Jan 03, 2005 at 10:42:17AM -0500, David Shaw wrote:
> On Sun, Jan 02, 2005 at 11:33:47PM -0500, Jason Harris wrote:

> > No.  Determining who (keyholders v. key users) copies keys from
> > keyserver.pgp.com to the regular keyservers is not important to me.

> Lovely.  Moving on then, do you see this as something you can resolve
> in your keyserver?  I've made the change in GnuPG to not import or
> export expired signatures by default.  This is a limited fix, of
> course, due to the overlap between an old GD sig expiring and a new GD
> sig being issued.  It strikes me that if the goal is to keep the
> keyservers clean, then the keyservers need to take action.  There is
> only so much that clients can do here.

It should be a very easy fix in pks, yes, but until all servers in
subkeys.pgp.net, for example, strip signatures by 0xCA57AD7C in the
exact same way, I think the main effect will be to confuse people.

Ideally, keyserver.pgp.com will stop issuing daily signatures, like
0xEF27ED5F shows it is still doing:

  sig!         CA57AD7C 2005-01-05  PGP Global Directory Verification Key
  sig!         CA57AD7C 2005-01-05  PGP Global Directory Verification Key
  sig!         CA57AD7C 2005-01-04  PGP Global Directory Verification Key

and then address its biweekly signatures.

As you said, if a key isn't on keyserver.pgp.com, then it is not
considered usable by that keyserver, so what is the point in issuing
such short-lived, yet exportable, signatures in the first place?
Even using yearly signatures, the keyserver needn't export them to know
that it has signed each key.  IINM, the signatures could be marked non-
exportable but still be sent to and used by PGP and GPG users that want
0xCA57AD7C in their personal WoT.  Then, those signatures wouldn't be
exported by encryption clients to the regular keyservers and it wouldn't
matter how often they are [re]issued.  As well, all regular keyservers
could discard any non-exportable signatures they are sent, which would
be a lot better than hard-coding keyids and retention policies for
specific, nuisance, automated keysigners.

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050106/704f5cba/attachment.bin


More information about the Gnupg-users mailing list