Why Don’t We Clean Up The PGP Key Servers?

By Daniel Miessler on February 16th, 2006: Tagged as Information Security | Infosec | Privacy

I think the InfoSec community needs to make a push to purge the PGP key servers. I think it’d be nice to start off with a clean slate, you know? Virtually everyone I know has at least one public key up on a server that they no longer have the secret key for. It’s a cluster to the nth degree.

I just think it’d be nice to start fresh. Everyone who manages keyservers could send a series of notification emails to the addresses listed in their key database, and after like a year (or whatever agreed upon amount of time), the deletions would begin.

Worst case scenario is that some people need to re-upload their public keys. I think it’s a small price to pay given the resulting “fresh” feeling. I for one can’t stand looking at all those redundant, orphaned keys — it’s the OC in me I suppose.

Thoughts? Anyone agree?





--



8 Comments »

  1. +1

    I think the operators of the keyservers disagree, though. In the past, I spent some time on the gnupg-users list, and every once in a while someone would ask how to delete their old unusable keys, and the keyserver operators would chime in with reasons about why it was a bad idea. I don’t remember most of the reasons, but I was never quite convinced.

    Comment by Darren Chamberlain — 2/16/2006 @ 2:10 pm

  2. +1

    Hear Hear!

    Comment by Zhasper — 2/16/2006 @ 5:48 pm

  3. I’d be interested in hearing their reasons. I can see why not to allow arbitrary key deletion from users, but they should consider doing a “house cleaning”.

    Comment by Daniel — 2/16/2006 @ 10:28 pm

  4. I am deeply troubled by the PGP clutter. Seriously, this keep s me up at nights. ;)

    Comment by Jason Powell — 2/17/2006 @ 8:17 pm

  5. Peoples’ comments who don’t use PGP don’t count. ;)

    Comment by Daniel — 2/18/2006 @ 11:12 am

  6. I beg your pardon, but I actually do use PGP, daily. So there. Nuh.

    Comment by Jason Powell — 2/18/2006 @ 12:15 pm

  7. Just saw your post on Digg, and yes, I think we’ve all lost the key (and passphrase) from the time we tried it first in 1998.

    pgpkeyserver # rm /var/spool/keys/* -rf pgpkeyserver #

    Comment by Calum — 5/2/2006 @ 4:28 pm

  8. Like most PGP users I have at least one unrevoked public key from my early experiments lyeing around, I’d like to see this problem fixed too.

    My own suggestion would be to ban keys with infinite expirery dates. 3 years should be the absolute maximum. Any infinite timed keys in existance shall be given 3 years untill expery.

    Comment by Tortanick — 12/29/2006 @ 9:47 am

RSS Feed For This Post...
This Post's TrackBack URI

Leave a Comment...