multiple copies of the self-signature on the key

David Shaw dshaw at
Wed Jun 14 14:24:17 CEST 2006

On Wed, Jun 14, 2006 at 02:20:20PM +0200, Janusz A. Urbanowicz wrote:
> On Wed, Jun 14, 2006 at 08:05:22AM -0400, David Shaw wrote:
> > On Wed, Jun 14, 2006 at 12:29:03PM +0200, Janusz A. Urbanowicz wrote:
> > > Hi, I am under an impression I reported that some time (~2 years) ago:
> > > 
> > > I have a setup where I send (and update) my pubkey to remote amchines
> > > by downloading it from the keyserver network. Over time, preferences
> > > are updated, subkeys are crosscertified. And new and new
> > > self-signatures deposite on the key with old not being flushed. What
> > > can I do with that?
> > 
> > You can't stop the keyservers from storing all copies of your
> > selfsig.  They have no crypto support so have no way to tell which (if
> > any) is the "right" one to keep.
> the latest one by timestamp?
> just a thought

Without crypto support, how is the keyserver to know that the nice new
signature with a later timestamp is in fact a real signature and not
garbage?  It would be a perfect denial-of-service attack to upload
bogus selfsignatures and then sit back and watch the keyserver erase
parts of the key.

GPG can do this because it can actually verify the signatures and
check.  Keyservers are just storage and cannot verify.


More information about the Gnupg-devel mailing list