Global Directory signatures (was Re: GPG wants to check trustdb every day)

David Shaw dshaw at jabberwocky.com
Wed Dec 29 05:02:44 CET 2004


On Tue, Dec 28, 2004 at 10:16:24PM -0500, Atom 'Smasher' wrote:
> On Tue, 28 Dec 2004, David Shaw wrote:
> 
> > I have been toying with various possible things to do about it, and I 
> > welcome anyone's thoughts.
> >
> > Things I'm wondering about:
> >
> > * Have keyservers discard GD signatures?
> ===============
> 
> all GD sigs or expired GD sigs?

No real preference.  All?  The GD sigs aren't really relevant outside
of the GD system.

> > * Ask the PGP folks to do something (what?)
> ===============
> 
> if you're in contact with them, at least ask what the hell they're 
> thinking... this is a horrible pollution of the key-servers and WoT.

I strongly disagree.  The GD is just a key signer.  The GD does not
send its signatures to keyservers.  The GD doesn't even issue the
signature until someone asks it to.

If what the GD does could have an actual impact on the keyservers and
web of trust, then the keyservers and web of trust were already
hopelessly broken.  They weren't broken before, and the GD doesn't
break them any more than any prolific signer would (that is, not at
all).  There is only one thing that the GD actually breaks, and that's
the various "what's the path from key XXXXX to key YYYYY" servers like
wotsap.  Those servers will eventually need to leave the GD key out to
avoid the short circuit that the GD signature provides.

My concern is mainly about the aesthetics here.  It's unattractive
(and over time large) to have that many expired sigs on your key.

> another possibility might be an option to purge expired sigs from a local 
> keyring.

This is essentially the same as not exporting expired sigs to
keyservers.  It doesn't work well for the reasons I mentioned in the
last email, though it might work well enough to slow the problem down.

David



More information about the Gnupg-users mailing list