[Sks-devel] stripping GD sigs (was: Re: clean sigs)

David Shaw dshaw at jabberwocky.com
Fri Sep 9 04:28:29 CEST 2005

On Thu, Sep 08, 2005 at 10:08:24PM -0400, Jason Harris wrote:
> On Thu, Sep 08, 2005 at 08:00:25PM -0400, David Shaw wrote:
> > On Fri, Sep 09, 2005 at 12:33:47AM +0200, Dirk Traulsen wrote:
> > > 3. Because now I was irritated, I did the same again with a different 
> > > keyserver 'keyserver.kjsl.com' and I got a completely different 
> > > result! When I fetched the key 08B0A90B, here it didn't have 47 sigs, 
> > > but only 15 sigs (see below output2). There was only a double self 
> > > sig, which 'clean' removed later. How can this be, if the keyservers 
> > > are synchronized?
> > 
> > Looks like they're not all that well synchronized :)
> Well, keyserver.ubuntu.com is still not participating in email syncs
> to non-SKS keyservers, but that's a different problem.
> keyserver.kjsl.com is now stripping all GD sigs.  The extra variable
> in kd_search.c and code for 'case 2:' of make_keys_elem(), respectively:

It's your keyserver, and you of course make the choices for what it
carries, but for the record, I think this is a bad idea.  Skipping the
usual discussion about the GD (I don't think anyone will convince
anyone else at this point), you do realize that this means you are
making a decision to edit the web of trust for others based on your
own personal criteria.

I'd be all in favor of an option where users could elect to filter out
keys: that would put the user in control.  Forcing your decision on
others by stripping signatures is a very disturbing step.


More information about the Gnupg-users mailing list