Re: [Sks-devel] SKS should not accept or replay non-exportable certifications

[John Clizbe]

Phil Pennock wrote:
> On 2013-09-12 at 19:40 -0400, Daniel Kahn Gillmor wrote:
>> While this seems like it is probably a fixable bug for someone who knows
>> their way around the codebase, I forsee problems with synchronizing the
>> pool, if some SKS keyservers start following the spec and others remain
>> non-compliant.
>> 
>> Any thoughts or suggestions on how to resolve this problem?
> 
> A hack would be to have a filter on, which strips them by default, and
> clean=off disables that.  The data's out there, trying to pretend it's
> not would be problematic in many ways, so we might as well just ensure
> that normal retrievals don't pick up the sigs, and also of course block
> _new_ uploads of such sigs.

Actually, the hack here, as discussed over on gnupg-users, is trying to use
lsign to mark a key to keep it off of the keyservers. The problem is that
produces a key, that if the erroneous use is followed, that has no binding
self-sig on the UID. While a regular certification and a self-sig are both
signatures, the selfsig performs other important functions within OpenPGP.

There is nothing to fix here, either in SKS or in GnuPG. The thread on
GnuPG-users has the needed discussion.

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:address@hidden

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"