This IS about GD - a proposal on dealing with the problem

Kurt Fitzner kfitzner at
Fri Sep 9 22:00:38 CEST 2005

Ok, that other thread isn't about the GD, but this one is.  I think this
is something that should be discussed and a consensus reached.

Are they a good/bad signer?
Does something need to be done about them?
Should they be approached by the community?

PGP's position (and the argument I've heard from others) is that they
have a lone keyserver, not attached to anything else, if the keys and
junk signatures leak - SEF/SEP (Somebody Else's Fault, Somebody Else's
Problem).  My response is, if a company produced a pool of toxic waste
and left it on private, but open and unprotected property, is that
company liable for that toxic waste getting out?

The community is getting toxic waste from their inelegant solution.  A
solution that, I suggest, can only be in place to promote dependance on
their server and force people to keep coming back to them (is this
ringing any familiarity bells yet).  Assuming a goal without advertising
as a central theme (ie: the technical goal of producing a signature
indicating a certail level of trust - where that trust can be
periodically reviewed and the signature removed if the trust is
breached), any one of us could come up with a half dozen technically
elegant solutions that don't pollute.

Their server and their signatures, but we are paying the price with
time, agravation, and quite possibly increased costs to keyserver
operators if something isn't done.

My proposal is that a letter be sent to PGP requesting (I'd put
demanding, but that's simply my personal outrage speaking) they kindly
stop leaving toxic junk signatures... out where any naive
user can (and obviously does) spread them around.  Perhaps it could be
suggested that they take part in the cleanup effort by supplying time
and money to operators to fix the problem.  I propose this letter be
signed by as many of the OpenPGP and related support software
developers, key server operators, and even end users as will support it.

Signature cleaning and/or filtering is not the answer, just as spam
filtering is not the ultimate answer.  The cost to the IT industry of
spam filtering is enormous.  Let's deal with the problem at the source.


More information about the Gnupg-users mailing list