Re: [Sks-devel] 0xd5920e937cc1e39b shows signatures with 0xca57ad7c continuing?

[John Clizbe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1,SHA256

Jeffrey Johnson wrote:
> 
> On May 30, 2012, at 10:58 PM, John Clizbe <address@hidden> wrote:
> 
>> Jeffrey Johnson wrote:
>>> 
>>> Its the expired robo-signatures on existing pubkeys, not
>>> the pubkeys, that need filtering. There is also a need to
>>> delete pubkeys
>>> 
>>> Is there a solution that can filter out specific expired
>>> signatures on pub keys that can be gossip'd efficiently?
>>> 
>>> AFAIK additional certification signatures are accumulated
>>> and the pubkeys are then re-distributed and re-merged.
>>> 
>>> How should one block distributing a specific pubkey's expired signatures
>>> on all existing pubkeys efficiently?
>> 
>> <lots of top and bottom posting mix snipped>
>> 
>> I'm with Rob. The keyservers should always host full certificates. Once we
>> start expiring keys or modifying them by removing bits, we become the
>> Untrusted Keyserver Cabal. Many would abandon us, probably forking to create 
>> a
>> new keyserver network of unmodified keys. IMO, leaving SKS to become this
>> century's PKS.
> 
> I don't disagree _EXCEPT_ when its a robo-signer which is
> arguably adding signatures with 2 week expiries for years
> and years and years for not much purpose.

0xca57ad7c sigs are not being directly added to SKS, or if they are, then PGP
have changed the way their keyserver(s?) operates. The PGP servers have always
been LDAP based and have never sent updates to other keyservers.

Any new 0xca57ad7c sigs are because the owner of that cert is sending an
updated copy of his cert to the SKS keyservers.

>> 
>> Now, that doesn't mean we always have to serve full certificates to clients.
>> 
>> &options=clean -- much like GnuPG, remove unusable userIDs and sigs, remove
>>        duplicate signatures keeping the most recent, remove expired
>>        signatures
>> 
>> &options=minimal -- This removes all signatures except the most recent
>>        self-signature on each user ID. Also alá GnuPG
>> 
>> &options=no-uat -- remove User photos and other BLOB data and accompanying
>>        signatures
>> 
> 
> Now you're talking ;-)
> 
> Can the filtering also be automated on upload as well as download?
> That at least stops the drip drip drip as new signatures continue to
> be added.
> 
>> These have the unfortunate side-effect of requiring the addition of crypto to
>> handle the validation, but we'd only be doing it on lookup?op=get instead of
>> every time we processed the key. And HEY! the trunk is updated to the latest
>> cryptokit, 1.5.
>> 
> 
> Why is crypto needed? It's a set of RFC 2440/4880 expired packets that
> match a pubkey fingerprint that need to be dropped when retrieved: parsing
> is needed but not crypto afaik.

Look at clean again, and by extension minimal. First thing is to determine if
a sig is even valid. If it's invalid, we can auto-toss it. Then we can proceed
with the /rest/ of the cleaning/minimizing. We're also removing unusable UIDs,
so we need to validate the revocation sig on the UID.

no-uat is the only one I think could be done w/o crypto because it deletes a
UAT packet and all of its following sigs until it comes to another UID, etc...

- -John
- -- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:address@hidden

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12-git-509fe4ce-2012-01-31 (Windows XP)
Comment: When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Comment: Be part of the £€€7 ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPxwhuAAoJECMTMVxDW9A0iFQH/2K/GxLOOs4weWYxkiUxGTCA
z+5dfeVxGs2yvPLMnsRQIDran/QtLmStXKci8SipP1rXH3zxxnII6XK0sej77/FT
GXAl663aM3trX534Wdkw2gCrEImR8hTLY/vAblYVoOxQCaIk5g5ifQgIKZfsyFrh
qWEpNfEhh9QF03b35DMryjMqw0mHzrILTyCcSzRw5xsUdRQ7PQYbT0u0ZXoy2f46
98MKRsjn80rEexdn5LqyvoSS8iOLc5m/sQNSGeg6URAp6uISAijDUX998a1LUKey
LLwRazPvwdZZl227bE2USmffegh0J88VdMFqawXGTr0pN60O+pH2fI+pwa3g62qI
XgQBEQgABgUCT8cIbgAKCRDrXhnz1laYJeGyAP418nq5f7igd8VL0f+87Qvn4/rm
55Kwv2e9r8p2TxN23wD/RU2OvK/PF3Ct2KKyVPdxJvPtplNRgXzlasirQxh5sqw=
=Vi+7
-----END PGP SIGNATURE-----