[Sks-devel] stripping GD sigs (was: Re: clean sigs)

David Shaw dshaw at jabberwocky.com
Fri Sep 9 14:56:04 CEST 2005

On Fri, Sep 09, 2005 at 07:38:31PM +0930, Alphax wrote:
> Johan Wevers wrote:
> > David Shaw wrote:
> > 
> > 
> >>I'd be all in favor of an option where users could elect to filter out
> >>keys: that would put the user in control.  Forcing your decision on
> >>others by stripping signatures is a very disturbing step.
> > 
> > 
> > Considering the behaviour of the GD, I'd say it's also a practical issue
> > about resources: if it keeps signing keys like this, an SKS server might
> > well be in need of seriously more hardware than it is now. Someone's got
> > to pay for that, amd I don't think all keyserver maintainers want to.
> > 
> Carrying out a full cleaning of keys stored on keyservers would
> seriously damage the WoT. Removing duplicated signatures however would
> probably have little impact, assuming you are removing only the newest
> ones and keeping any signatures with attributes set (notation data,
> policy URLs, revocation/expiry status).

If the keyservers had crypto support, you could do the equivalent of
GnuPG "clean" on each key.  Without crypto support, though, you could
remove a good signature and keep a bad one.

I suspect it would be cheaper to store the extra packets than it would
be to do all the signature math for every key....


More information about the Gnupg-users mailing list