Why Don’t We Clean Up The PGP Key Servers?

By Daniel Miessler on February 16th, 2006: Tagged as Information Security | Infosec | Privacy

I think the InfoSec community needs to make a push to purge the PGP key servers. I think it’d be nice to start off with a clean slate, you know? Virtually everyone I know has at least one public key up on a server that they no longer have the secret key for. It’s a cluster to the n^th degree.

I just think it’d be nice to start fresh. Everyone who manages keyservers could send a series of notification emails to the addresses listed in their key database, and after like a year (or whatever agreed upon amount of time), the deletions would begin.

Worst case scenario is that some people need to re-upload their public keys. I think it’s a small price to pay given the resulting “fresh” feeling. I for one can’t stand looking at all those redundant, orphaned keys — it’s the OC in me I suppose.

Thoughts? Anyone agree?

Viewing 8 Comments

Darren Chamberlain 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

+1

I think the operators of the keyservers disagree, though. In the past, I spent some time on the gnupg-users list, and every once in a while someone would ask how to delete their old unusable keys, and the keyserver operators would chime in with reasons about why it was a bad idea. I don't remember most of the reasons, but I was never quite convinced.

reply edit reblog flag

http://sevenroot.org/dlc/

Zhasper 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

+1

Hear Hear!

reply edit reblog flag

http://zhasper.com

Daniel Miessler 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I'd be interested in hearing their reasons. I can see why not to allow arbitrary key deletion from users, but they should consider doing a "house cleaning".

reply edit reblog flag

1 /people/danielrm26/ /people/danielrm26/following/ http://dmiessler.com/ danielrm26

Jason Powell 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I am deeply troubled by the PGP clutter. Seriously, this keep s me up at nights. ;)

reply edit reblog flag

http://jtpowell.blogspot.com

Daniel Miessler 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Peoples' comments who don't use PGP don't count. ;)

reply edit reblog flag

1 /people/danielrm26/ /people/danielrm26/following/ http://dmiessler.com/ danielrm26

Jason Powell 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I beg your pardon, but I actually do use PGP, daily. So there. Nuh.

reply edit reblog flag

http://jtpowell.blogspot.com

Calum 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Just saw your post on Digg, and yes, I think we've all lost the key (and passphrase) from the time we tried it first in 1998.

pgpkeyserver # rm /var/spool/keys/* -rf
pgpkeyserver #

reply edit reblog flag

http://calum.org/

Tortanick 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Like most PGP users I have at least one unrevoked public key from my early experiments lyeing around, I'd like to see this problem fixed too.

My own suggestion would be to ban keys with infinite expirery dates. 3 years should be the absolute maximum. Any infinite timed keys in existance shall be given 3 years untill expery.

reply edit reblog flag