On 09/13/2013 05:09 PM, John Clizbe wrote: > Phil Pennock wrote: >> On 2013-09-12 at 19:40 -0400, Daniel Kahn Gillmor wrote: >>> While this seems like it is probably a fixable bug for someone who knows >>> their way around the codebase, I forsee problems with synchronizing the >>> pool, if some SKS keyservers start following the spec and others remain >>> non-compliant. >>> >>> Any thoughts or suggestions on how to resolve this problem? >> >> A hack would be to have a filter on, which strips them by default, and >> clean=off disables that. The data's out there, trying to pretend it's >> not would be problematic in many ways, so we might as well just ensure >> that normal retrievals don't pick up the sigs, and also of course block >> _new_ uploads of such sigs. > > Actually, the hack here, as discussed over on gnupg-users, is trying to use > lsign to mark a key to keep it off of the keyservers. The problem is that > produces a key, that if the erroneous use is followed, that has no binding > self-sig on the UID. While a regular certification and a self-sig are both > signatures, the selfsig performs other important functions within OpenPGP.
I'm sorry if my work on non-exportable self-sigs seems to be distracting from the point about non-exportable certifications in general. Let's set aside the self-sigs, and just look at third-party certifications. RFC 4880 is explicit: Some implementations do not represent the interest of a single user (for example, a key server). Such implementations always trim local certifications from any key they handle. Someoneā¢ (0x75D292D353ADACCD) made a non-exportable certification on your user ID "John P. Clizbe <jpcli...@keyservers.net>" (2048R/0x2313315C435BD034). Someone else uploaded that key to a keyserver (ok, i admit it was me :P). The keyserver network is currently propagating that non-exportable certification, in contravention of the OpenPGP standard. > There is nothing to fix here, either in SKS or in GnuPG. The thread on > GnuPG-users has the needed discussion. I don't think this conclusion is warranted. Regards, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel