PGP global directory cruft in keyservers

John Clizbe JPClizbe at comcast.net
Tue Sep 6 20:36:37 CEST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt Fitzner wrote:
> This isn't GnuPG-related really, but recently downloaded my own public
> key from a keyserver and found on it about a billion of those silly PGP
> global directory signatures on it.  Either someone has been downloading
> my key from PGP a whole bunch and then submitting it to keyservers, or
> the mainstream keyservers are syncing with PGP's global directory.
> 
> I'm wondering if this is a widespread problem.  Have other people
> noticed this with their keys?
> 
> I am now very sorry I went throught that email process with PGP.  I'm
> actually hoping this is a widespread problem so that keyserver operators
> will start deleting those stupid signatures.  If not, I am stuck with my
> key having a billion useless signatures on it.
> 
> I'm so glad there is GnuPG with no corporate agenda!!! 
> Thanks Werner et al.

gpg --edit-key <keyID> clean

And setting the clean-sigs and clean-uids options on import-options,
export-options, and keyserver-options are our only defense until then.

Like you, I refreshed from a SKS server and found 120 new sigs on my key,
ALL PGP Universal Keyserver.

Over on PGP-Basics, someone asked what was the purpose of the 'clean'
command in GnuPG. A good friend of mine replied, "It undoes the damage
caused by the PGP Universal key server."

Like you, I regret ever submitting my key to that nightmare. I ignored all
the renewal emails.

I can't say if the PGP signatures were always the problem, but importing my
full keyring to clean it in the process reduced a 750 key ring from ~8MB to
~6MB, just under 1/3 (32%) reduction.

Maybe --clean-keys could be added as a command to GnuPG, like --check-sigs.

Perhaps autocleaning keys is something the SKS keyserver folks will
introduce. They seem to have the only active development taking place.

And I second the thanks to Werner, David, Timo, and the rest of the GnuPG
development community.

- --
John P. Clizbe                   PGP/GPG KeyID: 0x608D2A10
"Be who you are and say what you feel because those who mind don't matter
and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3-cvs-2005-09-04 (Windows 2000 SP4)
Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG
Comment: Be part of the £33t ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDHeG0HQSsSmCNKhARAqyJAKD1xF5/xYoV2m2CSqC3BQ1t2mX6jwCeNxc/
bgXl+nXUPBTIuAk0+rGJQ6k=
=DTUD
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list