Global Directory signatures (was Re: GPG wants to check trustdb every day)

Jason Harris jharris at widomaker.com
Wed Dec 29 21:18:51 CET 2004


On Wed, Dec 29, 2004 at 08:23:17AM -0500, David Shaw wrote:
> On Wed, Dec 29, 2004 at 12:47:22AM -0500, Jason Harris wrote:
> > On Tue, Dec 28, 2004 at 11:44:21PM -0500, David Shaw wrote:

> > > The GD doesn't support no-modify either.
> > 
> > It is enforcing something.  It won't take any new signatures on its own
> > key, 0xCA57AD7C, and the only signatures it has on your key, 0x99242560,
> > all seem to be from other keys it has stored.
> 
> Yes.  As I understand it, the GD has a weak form of no-modify since it
> does not allow new user IDs or subkeys without approval, but does
> allow new signatures without approval.  The new signatures must come
> from a key that is already on the GD.

Not for 0xCA57AD7C itself.  On regular keyservers, we see three external
revocations on 0xCA57AD7C and a few hundred signatures on 0xCA57AD7C
v. a few on the pgp.com keyserver.  Even if ldap://keyserver.pgp.com
isn't enforcing no-modify on 0xCA57AD7C via cryptographic checks, it
still appears to be doing so from the outside.  (Yes, at least some of
the external sigs on 0xCA57AD7C are for keys found on keyserver.pgp.com.)
(Alas, I don't see no-modify set in the current selfsigs on 0xCA57AD7C
from ldap://keyserver.pgp.com at all.)

> > Also, it doesn't necessarily wait until its last signature expires before
> > issuing a new one:
> 
> Yes, I mentioned this in my first mail.  There seems to be an overlap
> between the old and new signatures.  The signature lasts for 14 days,
> but the new signature is issued sooner.  I've seen overlaps as short
> as 8 days.

Your own key, 0x99242560, has two valid signatures made during the
same (TZ=UTC) day by 0xCA57AD7C, as I mentioned in my last message.
Specifically, they are timestamped Wed Dec 29 05:12:01 UTC 2004 and
Wed Dec 29 05:24:00 UTC 2004.  (If this was a one-time bug, fine.)

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20041229/cab90a4b/attachment.bin


More information about the Gnupg-users mailing list