Duplicated self-signatures on keyservers

David Shaw dshaw@jabberwocky.com
Sat May 17 14:16:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, May 16, 2003 at 11:49:33PM +0200, Manuel Samper wrote:
> Jason Harris, on Fri, May 16 2003 at 20:11, wrote:

> > > Not worried specially about it, just imagining the case of a key bloated
> > > with a bunch of self-signatures...  but in that case, it's better to
> > > fetch it directly from their owner and not from the keyservers, I think.
> > 
> > Use the older pks servers then, until you find a key with a bad selfsig
> > and want to see what other selfsigs are available on the keyservers that
> > keep all signatures.
> 
> But older servers are buggy and don't handle properly multiple subkeys
> among other things (again, AFAIK).
> 
> Thinking about this (and that's where gpg come into play), if older
> versions of self-signatures are of no practical use, and may only bloat
> the public key, it should be stripped at download time by the
> "keyclient" (gpg in our case), although it are preserved in the
> keyserver for some reasons (you should known better).

Yes, that is what happens now.  GnuPG automatically strips an older
self signature if a newer valid self signature is already available.
On the other hand, a newer self signature is accepted for import, but
the old one is not deleted.  This is occasionally reported as a bug.
It isn't a bug, but it can be confusing.

It is a very good thing that the keyservers do not do this since they
do not have cryptographic support to know whether the "new" signature
is valid (or indeed, whether it is really new or not).

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+xbIs4mZch0nhy8kRAlxxAJ0So1TV/sTVDfHpdqo+YvjaOdALVACgxAeq
HnzOaoaPpEXhjuk7JR/j/Xs=
=7E2c
-----END PGP SIGNATURE-----