I have a few thoughts, if I may. If I understand the gist of this discussion you're trying to clean up bad entries and add a support to delete such entries on a regular basis. I think this is a dangerous idea, maybe not completely bad, but IMHO it requires very careful thought. The reason is that it changes the fundamental security model of the key server system from an append only system to an editable system. Removal is edit. Who will edit it, when, how, who will verify it. And why should I trust these allegedly trustworthy people not to delete my keys by accident, not to mention the possibility of doing it maliciously. An append only system is simpler, by design. And it was my understanding that the existing system was designed the way it was specifically to avoid having to trust anyone with deletions and the disk space was accepted as a price. Am I wrong in this? There's also the question of how one can determine if a key is bogus or valid and how can a set of administrators come to the same conclusion independently. And will this put the system in the hands of a few?
Second, I saw a mention of proof of work, while it's a good idea in many cases, but I have my doubts in this specific case. There are existing clients out there that know how to publish keys. Adding a proof of work to the system will disconnect these clients or invalidate the proof of work system. Doesn't it? Clients may need to be modified, transition need to be considered, at the very least. I understand that the system is under load that's considered unnecessary, maybe even abused. But IMHO changes to the fundamental properties of the system need to be very seriously considered. Will it weaken the system's security properties and will the changes be backwards compatible, these are the questions I bring to the discussion. Martin _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
