Global Directory signatures (was Re: GPG wants to check trustdb every day)

David Shaw dshaw at jabberwocky.com
Fri Dec 31 03:48:22 CET 2004


On Thu, Dec 30, 2004 at 12:51:08PM -0500, Jason Harris wrote:
> On Thu, Dec 30, 2004 at 12:19:45AM -0500, David Shaw wrote:
> > On Wed, Dec 29, 2004 at 11:35:12PM -0500, Jason Harris wrote:
> 
> > > Good luck.  Each person who signed 0xCA57AD7C and uploaded their
> > > signature for others to use:
> 
> > > probably disagrees, unless keyserver.pgp.com is now secretly
> > > infiltrating its keys into the regular public keyserver network.
> > 
> > I'm not sure what connection this comment has with the discussion.
> 
> > As I said, unless someone is bridging keys intentionally, then the
> > GnuPG filter should handle it reasonably well.  (Only "reasonably"
> > well because of the overlap in signature dates).
> 
> People are "bridging keys[erver networks]."  They have to be downloading
> their signed key from the pgp.com keyserver, verifying the signature from
> 0xCA57AD7C, signing 0xCA57AD7C, and uploading it with their reciprocal
> signature to a synchronized keyserver.  (OK, they could be skipping the
> first two steps...  :)

This is not an example of bridging keys.  The GD key (CA57AD7C) is
stored on the GD, but isn't itself certified by the GD (except for the
obvious selfsig) and isn't part of the GD verification system.

An example of bridging keys is (for example), my key 99242560.
Someone took the trouble of downloading it from the GD, and then
uploading it (gee thanks) to the keyserver net.  They didn't add any
signatures, they didn't add anything at all - just copied it over.  It
could have been accidental or it could have been intentional, and it's
probably happened to at least a few keys besides mine.  I don't think
this sort of thing is common, or there would be a huge number of
signatures from the GD key on the keyserver net, and there aren't.
Since this isn't common, then a GnuPG feature to disregard expired
sigs should work reasonably well, as I've said.

> http://keyserver.kjsl.com/~jharris/ka/current/CA/CA57AD7C shows 163
> signatures to and 120 signatures from 0xCA57AD7C by 2004-12-26. The
> report for 2004-12-12 lists 36 signatures to and from 0xCA57AD7C.
> All of these keys signed by 0xCA57AD7C made their way from the
> pgp.com keyserver to the regular keyservers.  Assuming all
> signatures from 0xCA57AD7C expire in 14 days, any keys appearing in
> both reports were uploaded twice.  OK, 0xF7447263 is the only key
> common to these two reports.

Which shows that people aren't actively bridging keys, or you'd have
vastly more than 120 signatures issused by the GD key on the keyserver
net.  Far more than 120 people use the GD.

David



More information about the Gnupg-users mailing list