Re: [Sks-devel] Oh, Jeeez...!

[Martin Papik]

I have a few thoughts, if I may.

If I understand the gist of this discussion you're trying to clean up
bad entries and add a support to delete such entries on a regular basis.
I think this is a dangerous idea, maybe not completely bad, but IMHO it
requires very careful thought. The reason is that it changes the
fundamental security model of the key server system from an append only
system to an editable system. Removal is edit. Who will edit it, when,
how, who will verify it. And why should I trust these allegedly
trustworthy people not to delete my keys by accident, not to mention the
possibility of doing it maliciously. An append only system is simpler,
by design. And it was my understanding that the existing system was
designed the way it was specifically to avoid having to trust anyone
with deletions and the disk space was accepted as a price. Am I wrong in
this? There's also the question of how one can determine if a key is
bogus or valid and how can a set of administrators come to the same
conclusion independently. And will this put the system in the hands of a
few?

Second, I saw a mention of proof of work, while it's a good idea in many
cases, but I have my doubts in this specific case. There are existing
clients out there that know how to publish keys. Adding a proof of work
to the system will disconnect these clients or invalidate the proof of
work system. Doesn't it? Clients may need to be modified, transition
need to be considered, at the very least.

I understand that the system is under load that's considered
unnecessary, maybe even abused. But IMHO changes to the fundamental
properties of the system need to be very seriously considered. Will it
weaken the system's security properties and will the changes be
backwards compatible, these are the questions I bring to the discussion.


Martin