[Sks-devel] Fwd [from schleuder dev team]: Signature-flooded keys: current situation and mitigation

Wiktor Kwapisiewicz wiktor at metacode.biz
Fri Jul 19 12:34:13 CEST 2019

Hi Andrew,

On 18.07.2019 19:35, Andrew Gallagher wrote:
> A key owner can (preferably automatically) create a “self-identity” on her primary key consisting of a well-known string that contains no personal information. To avoid breaking legacy search-by-id systems this string should be unique to the primary key. I suggest using “fpr:00000000000000000000000000000000000”, where the zeros are replaced by the fingerprint of the key. The self-identity (and any revocations on it) can then be safely distributed by keystores that would otherwise refuse to distribute personal info.

Minor thing: I suggest using 
"openpgp4fpr:00000000000000000000000000000000000" instead of "fpr". 
That'd make the User ID a valid URI as "openpgp4fpr" is an assigned URI 
Scheme, see:


Probably the cleanest solution (suggested by others) would be using 
direct key signature (0x1F) [0] and avoid User IDs entirely. Your 
suggestion Andrew has the benefit that it's immediately backwards 
compatible with software "in the wild".

[0]: https://tools.ietf.org/html/rfc4880#section-5.2.1

Kind regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190719/059b9ba5/attachment-0001.sig>

More information about the Gnupg-users mailing list