Global Directory signatures (was Re: GPG wants to check trustdb every day)

David Shaw dshaw at jabberwocky.com
Mon Jan 3 16:42:17 CET 2005


On Sun, Jan 02, 2005 at 11:33:47PM -0500, Jason Harris wrote:
> On Sun, Jan 02, 2005 at 06:44:51PM -0500, David Shaw wrote:
> > On Sun, Jan 02, 2005 at 03:54:19PM -0500, Jason Harris wrote:
> 
> > > Regardless of your particular semantics of "actively bridging keys,"
> > > signatures from 0xCA57AD7C are showing up on the regular keyservers.
> > 
> > I'm fairly sure you understand the difference between "active" and
> > "passive", and if not, it should be quite clear from the context.  I'm
> > not going to explain it again.
> > 
> > I'm happy to continue having this discussion, but if you would rather
> > play "neener neener neener" games, I'd just as soon pass.  I'd rather
> > do something productive.
> 
> No.  Determining who (keyholders v. key users) copies keys from
> keyserver.pgp.com to the regular keyservers is not important to me.
> It was not clear to me that that's what you've meant, hopefully,
> all along.  Likewise, if I haven't been sufficiently clear, I only
> care _that_ the GD signatures clutter my pks and SKS databases.

Lovely.  Moving on then, do you see this as something you can resolve
in your keyserver?  I've made the change in GnuPG to not import or
export expired signatures by default.  This is a limited fix, of
course, due to the overlap between an old GD sig expiring and a new GD
sig being issued.  It strikes me that if the goal is to keep the
keyservers clean, then the keyservers need to take action.  There is
only so much that clients can do here.

Incidentally, my concern is slightly larger than what you state above.
It is interesting to me *who* copies keys, but also to *what extent*
the keys are copied.  If the key owner copied the key, we can perhaps
assume they meant to do it; it's their key.  If a key recipient did
it, we cannot make this assumption.  Given current keyservers, we
can't tell the difference so the point is academic, but no matter who
does the copying, a few signatures aren't going to wreak havoc (you
mentioned you had seen extra signatures showing up on only 120 keys
thus far), but a large number of copied keys start looking messy.

David



More information about the Gnupg-users mailing list