[OT?]: Keyserver / Subkeys / replicating selfsigs

David Shaw dshaw at jabberwocky.com
Mon May 10 21:00:37 CEST 2004 

On Mon, May 10, 2004 at 08:16:35PM +0200, Sascha Lüdecke wrote:
> 
> Hi David, hi list!
> 
> David Shaw <dshaw at jabberwocky.com> writes:
> 
> >> After some keysigning I was notified that my key on wwwkeys.pgp.net
> >> is unuseable.   After taking a closer look there are strange
> >> effects.  This is my key:
> >>
> >> [...]
> >>
> >> b)  parts of the key get rejected.  When submitting through the
> >>     webinterface, the result is:
> >> [...]
> >> 
> >>     Whats going wrong here?
> >
> > The keyserver is broken.  Most of them are.  Very few are fixed.
> 
> Hm, bad luck for me this time then.  There are some _new_ servers in
> the rise calling themselves SKS, but I am sorry to say that even those
> are not yet OK now.  One of them lists a subkey of mine as revoked
> which is definitely isn't.  So I'll avoid any of them in the future.

The SKS servers are the few that I referred to that are fixed.  They
work properly, don't mangle keys, etc.

The problem with the SKS servers are not the SKS software itself, but
that operationally they are tied into the same keyserver network as
the broken servers.  Corruption spreads, even though it's likely not
from the SKS servers.

One current limitation of all keyservers (SKS included) is that they
do not have cryptographic support.  It's possible to forge a
revocation and send it to a keyserver and the keyserver will show the
key or subkey as revoked.  The key isn't really revoked, of course,
and importing it into GnuPG or PGP will show that.

> >> 2. Problem:  replicating selfsigs
> >> =================================
> >> 
> >> a)  what can I do to get rid of this selfsigs
> >> b)  how can I stop the keyserver or gnupg from replicating this sigs?
> >
> > You can't win.  Give up.
> 
> I do :)  But I am left with a massive self-signed key.  Any way to
> remove the extra ones?

You can use gpg --edit-key and the "delsig" command to remove any
signature you don't want.  However, if you refresh the key from the
server, the signatures will come back.

David

More information about the Gnupg-users mailing list