Web of Trust spam prevention (was: Re: recommendation for key servers)

Jacob Bachmeyer jcb62281 at gmail.com
Thu Jul 1 02:01:24 CEST 2021

Andrew Gallagher via Gnupg-devel wrote:
> I think the third-party sig issues raised in this post are best 
> tackled with attestations, as discussed already. The trick is to get 
> the end-user workflow cleaned up and into as many clients as possible.

As I see the problem, links in the Web of Trust should be symmetric:  if 
Alice has verified Bob's key, Bob should have also verified Alice's 
key.  Enforcing this would eliminate spam signatures, but would also 
require some way for the system to recognize the intermediate state 
where Bob has uploaded his signature for Alice's key but Alice has not 
yet uploaded her signature for Bob's key.  Perhaps you have 30 days to 
upload your signature after certifying a key?  Unidirectional signatures 
would not be publicly shown until the "other half" of the link is 
uploaded and would be dropped after the keyservers have held them for 30 
days if the link is not completed?

There would still be possibility to build an entire fake "troll" Web of 
Trust with fake keys cross-certifying each other, but I do not have any 
ideas to solve that issue yet.

-- Jacob

More information about the Gnupg-devel mailing list