sks-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] IPv6 peering; keydumps annoyingly large


From: Xian Stannard
Subject: Re: [Sks-devel] IPv6 peering; keydumps annoyingly large
Date: Wed, 01 Jun 2011 14:08:15 +0100
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/06/2011 10:18, Scott Grayban wrote:
> So just wait and see until the last minute to clean it up when DB does
> become a issue ?
> 
> I don't like that idea... that means in some future the entire pool
> could be down if we take the "wait and see" approach.
> 
> Why wait ? Why can't we run a script that will at least delete keys that
> have expired and revoked ? And then prevent such keys from being
> re-imported back into the db ? That would be the sensible thing to do
> now when we don't have any emergencies.
> 
> Regards,
> Scott Grayban
> 
>  /"\
>  \ /     ASCII RIBBON
>   X        FIGHT BREAST CANCER
>  / \

I've been considering this too and personally am in favour of some
mechanism to remove dead keys. I'll leave it to someone else to decide
what constitutes a dead key.

There must be a way to 'forget' all but a key's fingerprint (or some
other identifier) and not get a new copy of it when the server next
gossips. Then there is a way for a key to spend time in 'purgatory'
where it will not be gossiped, and the server can decide how long(if?)
it will be before the key material itself is deleted. Maybe it would be
possible to remove them from the purgatory list after a while?

It appears that some keys contain very strange information, e.g. Using
public key algorithm numbers that aren't allowed RFC4880 or don't
contain the number of MPIs that are expected. Of course it could be that
my parser is not completely free of bugs; so I shall look very carefully
before declaring any key bad. If they are malformed, dropping them would
probably not cause a problem as I doubt they work as intended.

- -- 
/Xian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJN5jm/AAoJEEPJptmhzueQuSEIAMBUrgBe/Y7K2gGy5tSS/LR2
Yb+i/AmiqxxPxTJglxf27XkPBH42ZOMA+xWAZfQtC+ZX+kQXKkqKnR+SLXe+bPoQ
k3GXx9HgfmwsrvFfnrT3Ozd7nAGAuTi5HU8TERNS6WlelRZqjVX3JpF1nrHQTdGT
PbbOp1EvBJnaXxnkk8qw3FoVeQXFTS4ef7jj4DSo9X30isy6wP8IqFSBzoTSpnRN
Mg1SCunWk4n/XQDPOQg8M9kQdJa4DoRM2KQFAkU4m0fsU7Q49aDyuZT1YvV+d5Vw
Y/7fpwdnBcIW9BY294gM0sBqWWqn4IYM03X7er3ylm3S77QqFsttWa6v9zgrtbs=
=H9Y2
-----END PGP SIGNATURE-----



reply via email to

[Prev in Thread] Current Thread [Next in Thread]