vanitasvitae/openpgp-notes
1
0
Fork 0
mirror of https://codeberg.org/openpgp/notes.git synced 2025-09-09 11:19:41 +02:00
Code Issues Projects Releases Packages Wiki Activity

minimization: enumerate things that can be filtered, add section about koo

Browse source
This commit is contained in:
Heiko Schaefer 2023-11-17 16:03:47 +01:00
parent b049915e50
commit 4273dcbd78
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB
1 changed files with 20 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
book/source/04-certificates.md
View file

@ -327,6 +327,7 @@ The popular [SKS keyserver network experienced certificate flooding firsthand](h
write
```
(cert-mini)=
### Certificate minimization
Certificate minimization is the practice of presenting a partial view of a certificate by filtering out some of its components.
@ -337,7 +338,25 @@ Filtering out some elements of a certificate can have different benefits:
- In some contexts, data can be added to certificates by third parties, e.g. by adding third-party User ID certifications on some key servers. In the worst case this can lead to ["certificate flooding"](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html) which inflates the target certificate to a point where consumer software rejects the certificate completely. Filtering out elements can mitigate this.
- Sometimes, a certificate organically grows so big that the user software [has problems handing it](https://www.reddit.com/r/GnuPG/comments/bp23p4/my_key_is_too_large/).
#### Implementations
#### Elements that can be omitted as part of a minimization process
There are different types of elements that can be omitted during minimization:
- Subkeys (along with signatures on those subkeys)
- Identity components (along with both their self-signatures and third-party signatures)
- Signatures, by themselves:
- Self-signatures that have been superseded by newer self-signatures for the same purpose
- Third-party certifications
#### Minimization in applications
##### Hagrid, which runs keys.openpgp.org
The [hagrid keyserver software](https://gitlab.com/keys.openpgp.org/hagrid) doesn't publish the identity components in certificates by default. This is a central aspect of the [privacy policy](https://keys.openpgp.org/about/privacy) of the service. Certificates can be uploaded to the service by third parties, which is useful. However, identifying information is only distributed by the service on an explicit opt-in basis.
Separately, third-party certifications are currently filtered out by the service, to avoid flooding attacks.
##### GnuPG
GnuPG [strips some signatures on key import](https://dev.gnupg.org/T4607#127792).