No subject


Tue Dec 28 16:41:44 CET 2004


seems what what happens is that the signature is issued when a key is
requested FROM the server, and not when it is added TO the server.
The signatures are set to expire after 14 days.  If you request a key
from the GD from the 10-13th day onward (unclear where the dividing
line lies), it makes a new signature.

So, if you are relying on the GD signature to make a key valid, or
just do a --refresh-keys every now and then, then you'll end up with a
whole lot of expired signatures from the GD after a while.

I don't know if the 14-day thing is because the GD is still in beta
and the PGP folks don't want longer duration signatures out just yet.
Still, any way you look at it, expired GD signatures will eventually
build up, whether they increase every 2 weeks or every 6 months.

There is no security problem with this, of course, but it does mean
that after a while, your key will start to get big with all those
signatures (and --list-sigs gets really ugly).  Eventually, those sigs
will make it to the keyserver net and then we're stuck with them
forever.

I have been toying with various possible things to do about it, and I
welcome anyone's thoughts.

Things I'm wondering about:

* A new switch to not send expired sigs to keyservers and/or a switch
  to not accept expired sigs from keyservers.  This would slow down
  the growth, but not fix it completely as there is still the 2-week
  window before the sig expires.  This might be a good thing for
  general keyserver and keyring cleanliness though.

* A new option to indicate a key from which signatures were not
  exported.  This is a better fix since GD signatures should always
  come directly from the GD, and have no need to be sent anywhere.
  The person who commented that GD sigs should be local was on the
  right track here, though there are other problems with importing a
  local signature.  Unfortunately, this option could not be set by
  default (I do not want to hardcode the GD fingerprint into gpg), so
  if it was not manually set by everyone (and it certainly wouldn't
  be), then we're back in the same boat.

* Have keyservers discard GD signatures?

* Ask the PGP folks to do something (what?)

* Do nothing?

David



More information about the Gnupg-users mailing list