Duplicated self-signatures on keyservers

Manuel Samper manuel@samper.dyndns.org
Fri May 16 23:49:02 2003


Jason Harris, on Fri, May 16 2003 at 20:11, wrote:
> On Fri, May 16, 2003 at 02:31:57PM +0200, Manuel Samper wrote:
> 
> > I recently created a keypair (fffd5da0), and sent it to public
> > keyservers.  Later, I modified the preferences on their user ids (gpg
> > --edit-key, setpref and updpref), and sent it again to keyserves.  Now,
> > when I search my key, I see now two self-signatures: 
> > http://keyserver.kjsl.com:11371/pks/lookup?op=vindex&search=0xfffd5da0
> 
> keyserver.kjsl.com and newer pks keyservers (I think my keyserver list
> is current enough to show them all, see my website), as well as the LDAP

I know, and BTW a great resource your keyanalyze statistics, and your
work on fixing the hpk keyserver bugs, thanks.

> and SKS (http://sks.sf.net/), and perhaps OKS (keyserver.net), keyservers
> store all versions of all signatures.

Yes, I have seen the same behaviour in a sks keyserver. I see now that
it laso store multiple signatures for subkeys also, due to changing the
expiration time, I guess. See:
http://keyserver.bu.edu:11371/pks/lookup?search=0xfffd5da0&op=vindex

> > AFAIK, keyservers merge up everything and don't remove anything, and the
> 
> Older pks keyservers keep only the most recent signature.

Ah, that's what confused me...

And I should have write "multiple self-signatures", rather than
"duplicate".

> > Not worried specially about it, just imagining the case of a key bloated
> > with a bunch of self-signatures...  but in that case, it's better to
> > fetch it directly from their owner and not from the keyservers, I think.
> 
> Use the older pks servers then, until you find a key with a bad selfsig
> and want to see what other selfsigs are available on the keyservers that
> keep all signatures.

But older servers are buggy and don't handle properly multiple subkeys
among other things (again, AFAIK).

Thinking about this (and that's where gpg come into play), if older
versions of self-signatures are of no practical use, and may only bloat
the public key, it should be stripped at download time by the
"keyclient" (gpg in our case), although it are preserved in the
keyserver for some reasons (you should known better).

-- 
Manuel Samper                                   OpenPGP Key ID: FFFD5DA0