Stopping Useless Keys

[Cyrus Yunker]

One thing that could be done to minimize the number of useless keys
propagating out onto the keyservers is to track down the authors of
the multitude of "GPG HOWTO" articles out there.  They should be asked
to change their articles that instruct new users to immediately upload
their keys as soon as they are created.

Key management cannot usually be handled properly in a simple 2 part
article from a technology web magazine.

Most users should first be informed on how to make choices on how they
are going to use their keys (personal / work or just for encrypting
backups), what lifetime they expect for any given key, how
distribution is handled, what signatures are, etc.  Subkeys should be
explained properly.

THEN, and only then, should an article go into key generation
procedures.  Users should be encouraged to use manual distribution, by
email or otherwise, at the outset as they get comfortable with gpg and
the like.  It is at this time when keyprefs can be properly setup,
signatures from friends can be obtained, testing can be done with
other types of OpenPGP implementations, and their uid list can
stabilize somewhat.  Authors should encourage key expiry dates of one
or two years (if they are to be uploaded) for the user to become
comfortable with gpg and ensure that any mistakes will eventually
fall by the wayside (and out of precious keyserver storage).  Ironing
out keyprefs, etc. before the key is uploaded will reduce future
storage requirements for the keyservers.  (Only the last sig-packet is
displayed but in most cases all previous remain if my thinking is
correct.  This includes keeping around old uids, expiry dates, etc.)

Users should also receive an intro on the keyserver system and be
encouraged NOT to upload test keys but to play with them manually on
their own machines or with friends only.

When users determine within one or two years they'd like to continue
to use gpg/pgp, they can upload any new signatures or uid list
changes, keypref URLs, etc. and update their key expiry date to a time
farther in the future.  This would encourage people to backup their
keys and generate revocation certificates and file them away rather
than letting them vaporize with the latest disk crash.

This may be difficult to do but I believe a campaign could be started
if anybody would be interested in taking on such a project.  Users of
this mailing list and other places could be asked to search the web
for any articles (and author links) that instruct users to immediately
upload their keys after creation.  These could be collected,
duplicates removed, and verified.  Another distributed or collective
effort could send the authors notice on what "the community" would
like their readers to do along with some prepared text on how the
keyserver operate.

Please excuse my old keys.  Too much experimentation on my part has
clogged up the keyservers as well.  I've learned a great deal since
then.

Cyrus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20050228/0efb0aa4/attachment.pgp