sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] 0xd5920e937cc1e39b shows signatures with 0xca57ad7c cont

From: Jeffrey Johnson
Subject: Re: [Sks-devel] 0xd5920e937cc1e39b shows signatures with 0xca57ad7c continuing?
Date: Sun, 27 May 2012 09:33:21 -0400 
On May 27, 2012, at 6:03 AM, Kristian Fiskerstrand wrote:

> 
> The reason this differ from the e.g the PGP Corp auto-signature, is that
>       (i) It add a lot of bloat
>       (ii) removing the expired old signatures, in my mind, doesn't reduce
> the security of the overall system
>       (iii) I question the usefulness of the auto-signing itself.
> 

As near as I can tell the intent behind the auto-signature, it seems
that the PGP Directory Server is attempting "origin authentication"
(as in this key was accessed from the directory server at a known point in time)
using a digital signature.

The bloat is coming from the 1 week (iirc) period which governs both how
often the pubkey is resigned, and how long the signature is valid.

I'd agree the current "security of the overall system" isn't weakened
by filtering expired signatures. However, the robo-signing is also
providing a persistent time record at a 1-week granularity indicating
the history of specific public keys.

The historical record could be preserved through archiving: most
usage cases of signatures do not use the time stamp as anything
other than an informative piece of metadata.

But personally I think the robo-signing is bloated/unnecessary: a single
signature SHOULD suffice as an index point into historical/archival
records with some notary provided by pgp.com, not from SKS key servers.

hth

73 de Jeff
reply via email to
[Prev in Thread] Current Thread [Next in Thread]