2 noob problems

David Shaw dshaw at jabberwocky.com
Sun May 22 00:25:23 CEST 2005 

On Sat, May 21, 2005 at 10:53:12AM -0500, Alex L. Mauer wrote:

> On the other hand, if the signature has expired, since it becomes
> meaningless there's no reason to keep it.  Look at the PGP Global
> Directory key for an example of where this could become a problem.
> It re-signs the keys every two weeks, with a signature that is valid
> for two weeks.  This builds up pretty quickly.

Yes.  This is something I've been playing around with for the next
version.  I'm not completely decided on how to implement the UI for
it.  It'll be optional, of course, but the general idea is that people
can choose to remove "useless" signatures from their keyring
automatically at import or export time, or any time via --edit-key.

"useless" in this case means (almost) any signature that is not
actually used by GnuPG for the trust calculations.  The code in fact
is the same as the trust code.  So for example, an expired signature
would be deleted, along with any signatures that the expired signature
superceded.  A revoked signature similarly is deleted, and takes out
the superceded signatures with it.

> In fact ... now that I think about it, if this were done, it would be
> possible for the keyservers to handle that better too: It could retain
> only the most recent signature for a key on each uid, and only give out
> the keys if the most recent self-signature is not a revokation
> signature.  But, it could still hang on to all keys for comparison, so
> that when syncronization rolls around it doesn't just treat it as a new key.

There are several reasons why it is a good idea for keyservers to
store multiple signatures, but the main one is that they do not
currently have any crypto code to actually verify the signatures.
Without the ability to know if a given signature is good or bad, the
keyservers cannot make any decisions as to what signatures to keep or
drop.

GnuPG can verify signatures, of course, and so can safely prune them.
Incidentally, PGP prunes as well.  It's the only way to keep keys to a
rational size over a long period of time.

David

More information about the Gnupg-users mailing list