Re: [Sks-devel] 0xd5920e937cc1e39b shows signatures with 0xca57ad7c continuing?

[John Clizbe]

Jeffrey Johnson wrote:
> 
> Its the expired robo-signatures on existing pubkeys, not
> the pubkeys, that need filtering. There is also a need to
> delete pubkeys
> 
> Is there a solution that can filter out specific expired
> signatures on pub keys that can be gossip'd efficiently?
> 
> AFAIK additional certification signatures are accumulated
> and the pubkeys are then re-distributed and re-merged.
> 
> How should one block distributing a specific pubkey's expired signatures
> on all existing pubkeys efficiently?

<lots of top and bottom posting mix snipped>

I'm with Rob. The keyservers should always host full certificates. Once we
start expiring keys or modifying them by removing bits, we become the
Untrusted Keyserver Cabal. Many would abandon us, probably forking to create a
new keyserver network of unmodified keys. IMO, leaving SKS to become this
century's PKS.

Now, that doesn't mean we always have to serve full certificates to clients.

&options=clean -- much like GnuPG, remove unusable userIDs and sigs, remove
        duplicate signatures keeping the most recent, remove expired
        signatures

&options=minimal -- This removes all signatures except the most recent
        self-signature on each user ID. Also alá GnuPG

&options=no-uat -- remove User photos and other BLOB data and accompanying
        signatures

These have the unfortunate side-effect of requiring the addition of crypto to
handle the validation, but we'd only be doing it on lookup?op=get instead of
every time we processed the key. And HEY! the trunk is updated to the latest
cryptokit, 1.5.

-John