This IS about GD - a proposal on dealing with the problem

[David Shaw]

On Fri, Sep 09, 2005 at 02:00:38PM -0600, Kurt Fitzner wrote:
> Ok, that other thread isn't about the GD, but this one is.  I think this
> is something that should be discussed and a consensus reached.
> 
> Are they a good/bad signer?
> Does something need to be done about them?
> Should they be approached by the community?
> 
> PGP's position (and the argument I've heard from others) is that they
> have a lone keyserver, not attached to anything else, if the keys and
> junk signatures leak - SEF/SEP (Somebody Else's Fault, Somebody Else's
> Problem).  My response is, if a company produced a pool of toxic waste
> and left it on private, but open and unprotected property, is that
> company liable for that toxic waste getting out?

So if I take material from www.cnn.com and distribute it around the
net, it's CNN's fault for not protecting their data better?

It might be useful to tone down the rage here.  PGP isn't producing
toxic waste.  They're producing small packets of binary data.  Nobody
is actually being poisoned and dying here.  Extra signatures on keys
do not actually harm anyone, despite all the hysterics that they seem
to cause.  At best, this is an aesthetic problem.

Also, these are not "junk" signatures.  They have semantic meaning,
and are used by many people.  Please clarify what makes a signature a
"junk" signature.  I'd like to understand why you classify them that
way.

> Their server and their signatures, but we are paying the price with
> time, agravation, and quite possibly increased costs to keyserver
> operators if something isn't done.

Where is the time (aside from the time we keep spending talking about
it)?  Where is the aggravation?

Costs?  Picking a random GD signature off my key, it is 293 bytes
long.  Let's guess that there are around 10,000 keys that exist both
on the SKS net and the GD.  Let's also say that there is a malicious
person out there who is bridging *every one* of those 10,000 keys.  I
doubt this is happening, but again, let's go with it.  Given all those
weighted-to-be-awful numbers, what does that come to?  2.8 megabytes.
The GD reissues signatures on demand, more or less every 2 weeks.  52
weeks in a year, so the GD will add 72.7 megabytes a YEAR to the SKS
server net.  72.7 megabytes a year.  In 8 years, we'll have enough to
fill a CD-ROM.

Allow me to opine that if we're hurting from 72.7 megabytes a year,
than the keyserver net has other problems than the GD.

> My proposal is that a letter be sent to PGP requesting (I'd put
> demanding, but that's simply my personal outrage speaking) they kindly
> stop leaving toxic waste....er junk signatures... out where any naive
> user can (and obviously does) spread them around.  Perhaps it could be
> suggested that they take part in the cleanup effort by supplying time
> and money to operators to fix the problem.  I propose this letter be
> signed by as many of the OpenPGP and related support software
> developers, key server operators, and even end users as will support it.

Why the outrage?  I really don't understand why people are so hopping
mad about this.  Turn on "import-clean" in your gpg.conf and you'll
never see more than one GD signature at a time.

It's fairly obvious at this point that someone is bridging the GD to
the keyserver net.  PGP (the company) isn't doing it, and PGP (the
product) and GnuPG have no way to do it automatically.  Again, may I
suggest that before we implement changes in keyservers or send
threatening letters to the PGP company or even just continue to vent,
we simply track down who is doing it and ask them nicely to stop?

I've seen Jason pull off miracles at tracking down the origin of bad
packets on the keyserver net.  That would actually accomplish
something, rather than getting all angry and scolding PGP (which might
make people feel better, but likely won't change any part of the GD).

David