Global Directory signatures (was Re: GPG wants to check trustdb every day)

David Shaw dshaw at jabberwocky.com
Wed Dec 29 16:34:01 CET 2004


On Wed, Dec 29, 2004 at 03:48:48PM +0100, Johan Wevers wrote:
> David Shaw wrote:
> 
> >* A new switch to not send expired sigs to keyservers and/or a switch
> >  to not accept expired sigs from keyservers.  This would slow down
> >  the growth, but not fix it completely as there is still the 2-week
> >  window before the sig expires.  This might be a good thing for
> >  general keyserver and keyring cleanliness though.
> 
> Yes. However, it still doesn't prevent the keyservers from being
> loaded with a lot of useless signatures. I don't know how this would
> affect the load of the keyservers.

It lowers the rate of growth (and thus the keyserver load) since gpg
would not send out expired sigs to keyservers.  The GD itself doesn't
export keys, so if we can prevent users from doing it accidentally,
then the useless sigs never get onto the keyserver net.

> >* Have keyservers discard GD signatures?
> 
> Or at least have them remove all GD sigs except the last issued.

That's up to the keyserver authors.  I'm not against it, but they
might be as it involves special-casing certain keys.

> >* Ask the PGP folks to do something (what?)
> 
> Increase the expiry date of their signature to someting more usefull,
> like a year.

I'm still holding out hope that the current 14 day expiry is because
the keyserver is still in beta.  The GD is supposed to revalidate keys
every 6 months, so a 6 month expiry seems obvious to me.

> However, what about an GnuPG option like --clean-keyring that
> deletes all expired sigs, or perhaps deletes all (expired or not?)
> sigs from a given key, from your pubring? If the blogging occurs,
> you could at least clean up your keyring without manually deleting
> all those signatures.

I wonder if it is better to "clean" the keyring by simply not showing
or preventing the import of sigs that are not useful rather than by
deleting them after they are already imported.  Flags for "don't
show/expire/import expired sigs" you can set once in gpg.conf and
you're done.  Deleting expired sigs you have to do every single time
you do a --refresh-keys.

David



More information about the Gnupg-users mailing list