PGP global directory cruft in keyservers

David Shaw dshaw at jabberwocky.com
Thu Sep 8 04:48:51 CEST 2005


On Wed, Sep 07, 2005 at 08:21:24PM -0600, Kurt Fitzner wrote:
> David Shaw wrote:
> 
> > Would be difficult to do in SKS.  You need to be able to verify
> > signatures (so cleaning doesn't remove the wrong signature), and right
> > now SKS doesn't verify signatures.
> 
> The problem isn't widespread in that other keyservers are doing this
> sort of thing.  A simple explicit deletion of all PGP directory keys
> would suffice.  Plus, it would send a message to PGP about their
> behavior in bloating the key infrastructure when there are lots of more
> technically elegant solutions to what they were doing.

Dropping all signatures that match a particular key ID would indeed
resolve a significant piece of the problem (and you don't need crypto
support in the keyservers for that), but I don't agree that this is
the fault of PGP.  PGP isn't sending these signatures out.  PGP
doesn't sync with anyone, in or out.  The question to ask is not how
to make PGP stop, but how are the signatures leaking from their
isolated island server?

I've gotten a number of private emails today from PGP 9 users who
indicate that PGP 9 has *no* functionality to bridge a key and say it
must be done manually.

Any keyserver operators care to trace down where the signatures are
being injected from?

David



More information about the Gnupg-users mailing list