On Fri, Sep 09, 2005 at 12:22:00AM -0400, Jason Harris wrote: > > If I ran a keyserver, would it be appropriate for me to drop all > > signatures from your key D39DA0E3 simply because they're available > > somewhere else? > > keyserver.pgp.com doesn't synchronize with other keyservers, by design, > which they maintain to be a GoodThing(TM). Are you currently insinuating > that the GD sigs should spam the well-synchronized keyservers?
Obviously not. The GD is an island that synchronizes with nobody. The whole design of it is radically different than the other keyservers out there in that it is not designed to store all keys. It is designed to store one key per active user, and that is enforced. Synchronizing would destroy that design goal. Not synchronizing is also the only way they can avoid certain semantic problems with robot CAs. Still, Jason, you can't have it both ways: you complain that the GD won't sync, and you complain that the GD signatures leak out. Which do you want to fix? > > Personal opinions as to the usefulness of signatures should not be a > > factor in what a keyserver stores. It's a very dangerous path to go > > down: do you also strip signatures from someone "known" to be a bad > > signer? What's the criteria for inclusion in your keyserver? Is it > > stated somewhere so users can read it? > > Right now, TTBOMK, only the GD is, indeed, ""known" to be a bad signer." Known by *you*. I rather think the GD is a good signer, for what it is. I know a whole lot of other people who think the GD is a good signer, just as I know a whole lot of people who think the GD is a bad signer. Is your keyserver for you personally or for the public? Do understand, this isn't about the GD specifically: it's about a keyserver operator who is editing their database to present a different trust view than is really there. When do your personal preferences start impacting a public service? If a user fetches a key from sks.dnsalias.net they see one view of the world. If they fetch the same key from your keyserver, they see your private view of the world. Or to put it another way: I know dozens of bad signers (I could tell some horror stories here). Should you drop their signatures too? With regards to the GD problem, specifically: Jason, I've seen you do amazing things with debugging the keyserver net, and point to exactly where particular signatures entered the net. Why don't you just see where the signatures are leaking in from before you redefine what a keyserver stores to suit yourself? They're not coming from the GD, and PGP and GnuPG have no way to bridge them automatically. Therefore someone is doing it manually, and on a regular basis. If you insist on presenting a different view to users than the entire rest of the keyserver net, without any way to turn such a "feature" off, then I suggest that keyserver.kjsl.com be removed from the subkeys.pgp.net rotation. It will cause more confusion than benefit. David _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel