PGP global directory cruft in keyservers
JPClizbe at comcast.net
Tue Sep 6 20:36:37 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Kurt Fitzner wrote:
> This isn't GnuPG-related really, but recently downloaded my own public
> key from a keyserver and found on it about a billion of those silly PGP
> global directory signatures on it. Either someone has been downloading
> my key from PGP a whole bunch and then submitting it to keyservers, or
> the mainstream keyservers are syncing with PGP's global directory.
> I'm wondering if this is a widespread problem. Have other people
> noticed this with their keys?
> I am now very sorry I went throught that email process with PGP. I'm
> actually hoping this is a widespread problem so that keyserver operators
> will start deleting those stupid signatures. If not, I am stuck with my
> key having a billion useless signatures on it.
> I'm so glad there is GnuPG with no corporate agenda!!!
> Thanks Werner et al.
gpg --edit-key <keyID> clean
And setting the clean-sigs and clean-uids options on import-options,
export-options, and keyserver-options are our only defense until then.
Like you, I refreshed from a SKS server and found 120 new sigs on my key,
ALL PGP Universal Keyserver.
Over on PGP-Basics, someone asked what was the purpose of the 'clean'
command in GnuPG. A good friend of mine replied, "It undoes the damage
caused by the PGP Universal key server."
Like you, I regret ever submitting my key to that nightmare. I ignored all
the renewal emails.
I can't say if the PGP signatures were always the problem, but importing my
full keyring to clean it in the process reduced a 750 key ring from ~8MB to
~6MB, just under 1/3 (32%) reduction.
Maybe --clean-keys could be added as a command to GnuPG, like --check-sigs.
Perhaps autocleaning keys is something the SKS keyserver folks will
introduce. They seem to have the only active development taking place.
And I second the thanks to Werner, David, Timo, and the rest of the GnuPG
John P. Clizbe PGP/GPG KeyID: 0x608D2A10
"Be who you are and say what you feel because those who mind don't matter
and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3-cvs-2005-09-04 (Windows 2000 SP4)
Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG
Comment: Be part of the £33t ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Gnupg-users