Global Directory signatures (was Re: GPG wants to check trustdb every day)

Jason Harris jharris at widomaker.com
Sun Jan 2 21:54:19 CET 2005


On Thu, Dec 30, 2004 at 09:48:22PM -0500, David Shaw wrote:

> Which shows that people aren't actively bridging keys, or you'd have
> vastly more than 120 signatures issused by the GD key on the keyserver

Regardless of your particular semantics of "actively bridging keys,"
signatures from 0xCA57AD7C are showing up on the regular keyservers.
Having read the FAQ for GD, I believe pgp.com sees the 14 day
expirations as a real feature and won't be changing that value anytime
soon.  If so, it may be reasonable for regular keyservers to remove
all signatures by the GD key that have expired, or perhaps not to store
any at all.  Clearly, such expired signatures only serve to bloat keys
on users' keyrings and regular keyservers.

A much better design would be to issue yearly signatures and revoke them
when a key is removed from the GD.  This way, multiple GD signatures are
caused (mostly) by the users' actions and/or inactions.

Also, the GD should store expired and revoked keys.  Users who rely solely
on the GD keyserver now must search for each key by email address before
encrypting to it or trusting a signature from it.  If a key is expired
by a signature not yet downloaded from GD, but the key is already gone
from the GD, how else is a user to know the key has expired?  Worse,
if a key has been compromised, how is the keyholder supposed to record
that fact with the GD?  Refreshing one's keyring only from the GD only
using keyids cannot reveal unusable keys.

> net.  Far more than 120 people use the GD.

Indeed, given the "hardware meltdown" of the non-GD pgp.com keyserver,
they are now quite the captive audience.  I particularly hope there is
more hardware available for the GD so that a loss of data doesn't cause
a sudden spike in signatures [re]issued by the GD.

On Thu, Dec 30, 2004 at 12:51:08PM -0500, Jason Harris wrote:

> NB:  Pulling 0xF7447263 from keyserver.pgp.com just now didn't add a
> new sig. by 0xCA57AD7C, so it looks like the 8 day bug/feature is gone.

Gah!  0x839B8AD7 is a recent example to the contrary:

  sig!         CA57AD7C 2004-12-31  PGP Global Directory Verification Key
  sig!         CA57AD7C 2005-01-02  PGP Global Directory Verification Key

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050102/4ec1fb71/attachment.bin


More information about the Gnupg-users mailing list