multiple copies of the self-signature on the key
David Shaw
dshaw at jabberwocky.com
Fri Jun 16 15:59:43 CEST 2006
On Fri, Jun 16, 2006 at 03:01:20PM +0200, Janusz A. Urbanowicz wrote:
> On Fri, Jun 16, 2006 at 08:11:18AM -0400, David Shaw wrote:
> > > > Without crypto support, how is the keyserver to know that the nice new
> > > > signature with a later timestamp is in fact a real signature and not
> > > > garbage? It would be a perfect denial-of-service attack to upload
> > > > bogus selfsignatures and then sit back and watch the keyserver erase
> > > > parts of the key.
> > > >
> > > > GPG can do this because it can actually verify the signatures and
> > > > check. Keyservers are just storage and cannot verify.
> > >
> > > So, why GPG doesn't do this on import? AFAIR PGP 2 did this automatically.
> >
> > PGP 2 didn't store anything useful in the self-signature, so there
> > were never more than one unless someone intentionally forced one to be
> > there.
> >
> > In any event, GPG can do this on import, but it is optional. If you
> > want it:
> >
> > keyserver-options import-clean
>
> but this will clear all "unneeded stuff" from the keys imported and not only
> from my key?
Yes. I have to confess I'm not sure what you are getting at here.
What are you trying to do?
David
More information about the Gnupg-devel
mailing list