On 2019-07-02 at 12:24 +0200, Werner Koch via Gnupg-users wrote: > > My opinion: make "keyserver-options import-clean" the default and > make it internally never import any unknown signatures. > > Sorry, this is a catch-22. We need the key to verify the signature.
I don't think so. You can have the signing key in the keyring, even if that one was imported with only its own self-sigs. Ultimately, I think the signatures should only be imported when they are cross-signed by the key owner. This would require a migration step were people signed the signatures they already have on their key, but would otherwise allow them to keep their 'precious signatures' they already have. Then there should probably be a new command that would have to be used to import the new signatures to your key that you are sent. It won't fix the problem of a malicious keys being made with thousands of fake signatures, but it pretty much solves the spamming problem by only putting the owner in charge of accepting the signatures that can go on his key. Cheers _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
