ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PGP Keyserver Synchronization Protocol

1999-07-02 04:10:53
from [Patrick Feisthammel] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----

Hi!

On Fri, 2 Jul 1999, Marcel Waldvogel wrote:


Both strategies, either keeping the first (revocation) signature or
updating them, is open to DoS. I would prefer the keyservers to keep
(and return) all duplicate (revocation) signatures, but only display
one of them. Then the user's OpenPGP implementation should deal with
it. Duplicate signatures shouldn't break anything, but I would like
to know whether anyone assumes that duplicate revocations might break
something?


I do not think they break something. OpenPGP implementation should handle
multiple signatures with similar meaning. 

If there are implementations which have different behaviour according to
the additional information of the signature, they can have problems.
Such additional informations are the creation time of the signature (an
implementation could treat signatures valid if they occured befor the
revocation of the key) or the reason for the revocation (if the reason is
a changed userID the OpenPGP implementation could take signatures for 
valid, but not if the reason is a compromised key).

IMHO the keyservers should store all key information and not try to guess
what part of this information an application needs to work. 


Cheers,
Patrick

- ---
PGP-KeyID: DD934139 (pafei(_at_)rubin(_dot_)ch)    encrypt mail with PGP if 
possible
more about PGP on http://www.rubin.ch/pgp/ (english and german)
what ist the web of trust? see http://www.rubin.ch/pgp/weboftrust.en.html
Das Vertrauensnetz von PGP:    http://www.rubin.ch/pgp/weboftrust.de.html

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQESAwUBN3ye7ZVgYabdk0E5AQFM5AfiA+RtuAFoxpoDU3zPaFBbPcgdKKZH8fYH
op3dUWOsVBqXXhCfTYHbvWEr+Z9kZnIzoDlikheVmfjdGmPDi6Q5YuHr/TARdGKH
3v7wK/5kMo1WeiP89Ct6yllP5uVfiuNUnL+qM5k+5pIP5GB4CalscpeCkzAWx6pO
IILQVEmsYDIpk+pOUn4nV0S/pH1gi6Qce884dnWxqNnJSB7iLKKeu0Gst+GHrwXN
2N8VhYe347vFO4opv86gRY/kCYA9YuyWhVCSb3E6xtknhCl3eL+n2hjyxJVDx3Wq
8XkvNkCHu/ENiMuxfoRa+F3M5pEKmMJnD6pdfYgFb5uaXiuZRQ==
=WRQf
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PGP Keyserver Synchronization Protocol, Marcel Waldvogel
Next by Date:  PGP 6.5.1 - word list and SDAs?, Thomas Roessler
Previous by Thread:  Re: PGP Keyserver Synchronization Protocol, Marcel Waldvogel
Next by Thread:  PGP 6.5.1 - word list and SDAs?, Thomas Roessler
Indexes:  [Date] [Thread] [Top] [All Lists]