Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)

[David Shaw]

On Fri, Sep 09, 2005 at 12:22:00AM -0400, Jason Harris wrote:

> > If I ran a keyserver, would it be appropriate for me to drop all
> > signatures from your key D39DA0E3 simply because they're available
> > somewhere else?
> 
> keyserver.pgp.com doesn't synchronize with other keyservers, by design,
> which they maintain to be a GoodThing(TM).  Are you currently insinuating
> that the GD sigs should spam the well-synchronized keyservers?

Obviously not.  The GD is an island that synchronizes with nobody.
The whole design of it is radically different than the other
keyservers out there in that it is not designed to store all keys.  It
is designed to store one key per active user, and that is enforced.
Synchronizing would destroy that design goal.  Not synchronizing is
also the only way they can avoid certain semantic problems with robot
CAs.

Still, Jason, you can't have it both ways: you complain that the GD
won't sync, and you complain that the GD signatures leak out.  Which
do you want to fix?

> > Personal opinions as to the usefulness of signatures should not be a
> > factor in what a keyserver stores.  It's a very dangerous path to go
> > down: do you also strip signatures from someone "known" to be a bad
> > signer?  What's the criteria for inclusion in your keyserver?  Is it
> > stated somewhere so users can read it?
> 
> Right now, TTBOMK, only the GD is, indeed, ""known" to be a bad signer."

Known by *you*.  I rather think the GD is a good signer, for what it
is.  I know a whole lot of other people who think the GD is a good
signer, just as I know a whole lot of people who think the GD is a bad
signer.  Is your keyserver for you personally or for the public?

Do understand, this isn't about the GD specifically: it's about a
keyserver operator who is editing their database to present a
different trust view than is really there.  When do your personal
preferences start impacting a public service?  If a user fetches a key
from sks.dnsalias.net they see one view of the world.  If they fetch
the same key from your keyserver, they see your private view of the
world.

Or to put it another way: I know dozens of bad signers (I could tell
some horror stories here).  Should you drop their signatures too?

With regards to the GD problem, specifically: Jason, I've seen you do
amazing things with debugging the keyserver net, and point to exactly
where particular signatures entered the net.  Why don't you just see
where the signatures are leaking in from before you redefine what a
keyserver stores to suit yourself?  They're not coming from the GD,
and PGP and GnuPG have no way to bridge them automatically.  Therefore
someone is doing it manually, and on a regular basis.

If you insist on presenting a different view to users than the entire
rest of the keyserver net, without any way to turn such a "feature"
off, then I suggest that keyserver.kjsl.com be removed from the
subkeys.pgp.net rotation.  It will cause more confusion than benefit.

David