multiple copies of the self-signature on the key
Janusz A. Urbanowicz
alex at bofh.net.pl
Fri Jun 16 12:09:08 CEST 2006
On Wed, Jun 14, 2006 at 08:24:17AM -0400, David Shaw wrote:
> On Wed, Jun 14, 2006 at 02:20:20PM +0200, Janusz A. Urbanowicz wrote:
> > On Wed, Jun 14, 2006 at 08:05:22AM -0400, David Shaw wrote:
> > > On Wed, Jun 14, 2006 at 12:29:03PM +0200, Janusz A. Urbanowicz wrote:
> > > > Hi, I am under an impression I reported that some time (~2 years) ago:
> > > >
> > > > I have a setup where I send (and update) my pubkey to remote amchines
> > > > by downloading it from the keyserver network. Over time, preferences
> > > > are updated, subkeys are crosscertified. And new and new
> > > > self-signatures deposite on the key with old not being flushed. What
> > > > can I do with that?
> > >
> > > You can't stop the keyservers from storing all copies of your
> > > selfsig. They have no crypto support so have no way to tell which (if
> > > any) is the "right" one to keep.
> >
> > the latest one by timestamp?
> >
> > just a thought
>
> Without crypto support, how is the keyserver to know that the nice new
> signature with a later timestamp is in fact a real signature and not
> garbage? It would be a perfect denial-of-service attack to upload
> bogus selfsignatures and then sit back and watch the keyserver erase
> parts of the key.
>
> GPG can do this because it can actually verify the signatures and
> check. Keyservers are just storage and cannot verify.
So, why GPG doesn't do this on import? AFAIR PGP 2 did this automatically.
Alex
More information about the Gnupg-devel
mailing list