multiple copies of the self-signature on the key

David Shaw dshaw at jabberwocky.com
Fri Jun 16 15:59:43 CEST 2006


On Fri, Jun 16, 2006 at 03:01:20PM +0200, Janusz A. Urbanowicz wrote:
> On Fri, Jun 16, 2006 at 08:11:18AM -0400, David Shaw wrote:
> > > > Without crypto support, how is the keyserver to know that the nice new
> > > > signature with a later timestamp is in fact a real signature and not
> > > > garbage?  It would be a perfect denial-of-service attack to upload
> > > > bogus selfsignatures and then sit back and watch the keyserver erase
> > > > parts of the key.
> > > > 
> > > > GPG can do this because it can actually verify the signatures and
> > > > check.  Keyservers are just storage and cannot verify.
> > > 
> > > So, why GPG doesn't do this on import? AFAIR PGP 2 did this automatically.
> > 
> > PGP 2 didn't store anything useful in the self-signature, so there
> > were never more than one unless someone intentionally forced one to be
> > there.
> > 
> > In any event, GPG can do this on import, but it is optional.  If you
> > want it:
> > 
> >   keyserver-options import-clean
> 
> but this will clear all "unneeded stuff" from the keys imported and not only
> from my key?

Yes.  I have to confess I'm not sure what you are getting at here.
What are you trying to do?

David



More information about the Gnupg-devel mailing list