[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] SKS should not accept or replay non-exportable certifica
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: [Sks-devel] SKS should not accept or replay non-exportable certifications |
|
Date: |
Fri, 13 Sep 2013 17:48:17 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130821 Icedove/17.0.8 |
On 09/13/2013 05:09 PM, John Clizbe wrote:
> Phil Pennock wrote:
>> On 2013-09-12 at 19:40 -0400, Daniel Kahn Gillmor wrote:
>>> While this seems like it is probably a fixable bug for someone who knows
>>> their way around the codebase, I forsee problems with synchronizing the
>>> pool, if some SKS keyservers start following the spec and others remain
>>> non-compliant.
>>>
>>> Any thoughts or suggestions on how to resolve this problem?
>>
>> A hack would be to have a filter on, which strips them by default, and
>> clean=off disables that. The data's out there, trying to pretend it's
>> not would be problematic in many ways, so we might as well just ensure
>> that normal retrievals don't pick up the sigs, and also of course block
>> _new_ uploads of such sigs.
>
> Actually, the hack here, as discussed over on gnupg-users, is trying to use
> lsign to mark a key to keep it off of the keyservers. The problem is that
> produces a key, that if the erroneous use is followed, that has no binding
> self-sig on the UID. While a regular certification and a self-sig are both
> signatures, the selfsig performs other important functions within OpenPGP.
I'm sorry if my work on non-exportable self-sigs seems to be distracting
from the point about non-exportable certifications in general. Let's
set aside the self-sigs, and just look at third-party certifications.
RFC 4880 is explicit:
Some implementations do not represent the interest of a single user
(for example, a key server). Such implementations always trim local
certifications from any key they handle.
Someoneā¢ (0x75D292D353ADACCD) made a non-exportable certification on
your user ID "John P. Clizbe <address@hidden>"
(2048R/0x2313315C435BD034). Someone else uploaded that key to a
keyserver (ok, i admit it was me :P). The keyserver network is
currently propagating that non-exportable certification, in
contravention of the OpenPGP standard.
> There is nothing to fix here, either in SKS or in GnuPG. The thread on
> GnuPG-users has the needed discussion.
I don't think this conclusion is warranted.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
- [Sks-devel] SKS should not accept or replay non-exportable certifications, Daniel Kahn Gillmor, 2013/09/12
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, Phil Pennock, 2013/09/12
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, John Clizbe, 2013/09/13
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications,
Daniel Kahn Gillmor <=
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, Robert J. Hansen, 2013/09/13
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, Daniel Kahn Gillmor, 2013/09/13
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, Robert J. Hansen, 2013/09/13
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, Christoph Anton Mitterer, 2013/09/13
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, Robert J. Hansen, 2013/09/13
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, Christoph Anton Mitterer, 2013/09/14
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, John Clizbe, 2013/09/13
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, Robert J. Hansen, 2013/09/13
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, Daniel Kahn Gillmor, 2013/09/14
- Re: [Sks-devel] SKS should not accept or replay non-exportable certifications, Robert J. Hansen, 2013/09/14