Web of Trust spam prevention (was: Re: recommendation for key servers)
Jacob Bachmeyer
jcb62281 at gmail.com
Thu Jul 1 02:01:24 CEST 2021
Andrew Gallagher via Gnupg-devel wrote:
> I think the third-party sig issues raised in this post are best
> tackled with attestations, as discussed already. The trick is to get
> the end-user workflow cleaned up and into as many clients as possible.
As I see the problem, links in the Web of Trust should be symmetric: if
Alice has verified Bob's key, Bob should have also verified Alice's
key. Enforcing this would eliminate spam signatures, but would also
require some way for the system to recognize the intermediate state
where Bob has uploaded his signature for Alice's key but Alice has not
yet uploaded her signature for Bob's key. Perhaps you have 30 days to
upload your signature after certifying a key? Unidirectional signatures
would not be publicly shown until the "other half" of the link is
uploaded and would be dropped after the keyservers have held them for 30
days if the link is not completed?
There would still be possibility to build an entire fake "troll" Web of
Trust with fake keys cross-certifying each other, but I do not have any
ideas to solve that issue yet.
-- Jacob
More information about the Gnupg-devel
mailing list