PGP global directory cruft in keyservers

David Shaw dshaw at jabberwocky.com
Wed Sep 7 00:03:28 CEST 2005 

On Tue, Sep 06, 2005 at 01:36:37PM -0500, John Clizbe wrote:
> Kurt Fitzner wrote:
> > This isn't GnuPG-related really, but recently downloaded my own public
> > key from a keyserver and found on it about a billion of those silly PGP
> > global directory signatures on it.  Either someone has been downloading
> > my key from PGP a whole bunch and then submitting it to keyservers, or
> > the mainstream keyservers are syncing with PGP's global directory.
> > 
> > I'm wondering if this is a widespread problem.  Have other people
> > noticed this with their keys?
> > 
> > I am now very sorry I went throught that email process with PGP.  I'm
> > actually hoping this is a widespread problem so that keyserver operators
> > will start deleting those stupid signatures.  If not, I am stuck with my
> > key having a billion useless signatures on it.
> > 
> > I'm so glad there is GnuPG with no corporate agenda!!! 
> > Thanks Werner et al.
> 
> gpg --edit-key <keyID> clean
> 
> And setting the clean-sigs and clean-uids options on import-options,
> export-options, and keyserver-options are our only defense until then.
> 
> Like you, I refreshed from a SKS server and found 120 new sigs on my key,
> ALL PGP Universal Keyserver.

To my knowledge, the PGP GD doesn't sync with anyone.  It would be
interesting to know how/where these signatures are leaking into the
keyserver net.

> Over on PGP-Basics, someone asked what was the purpose of the 'clean'
> command in GnuPG. A good friend of mine replied, "It undoes the damage
> caused by the PGP Universal key server."
> 
> Like you, I regret ever submitting my key to that nightmare. I ignored all
> the renewal emails.
> 
> I can't say if the PGP signatures were always the problem, but importing my
> full keyring to clean it in the process reduced a 750 key ring from ~8MB to
> ~6MB, just under 1/3 (32%) reduction.
> 
> Maybe --clean-keys could be added as a command to GnuPG, like --check-sigs.

Do you think this is that useful?  I had expected people to treat
clean-* as a "set it and forget it" feature and let GnuPG handle the
keyring.  Note that if clean-* is set, doing a --refresh-keys, as many
people do every now and then, effectively runs clean on each key.

> Perhaps autocleaning keys is something the SKS keyserver folks will
> introduce. They seem to have the only active development taking place.

Would be difficult to do in SKS.  You need to be able to verify
signatures (so cleaning doesn't remove the wrong signature), and right
now SKS doesn't verify signatures.

David

More information about the Gnupg-users mailing list