diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index e5eab68..028a37b 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -327,6 +327,7 @@ The popular [SKS keyserver network experienced certificate flooding firsthand](h write ``` +(cert-mini)= ### Certificate minimization Certificate minimization is the practice of presenting a partial view of a certificate by filtering out some of its components. @@ -337,7 +338,25 @@ Filtering out some elements of a certificate can have different benefits: - In some contexts, data can be added to certificates by third parties, e.g. by adding third-party User ID certifications on some key servers. In the worst case this can lead to ["certificate flooding"](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html) which inflates the target certificate to a point where consumer software rejects the certificate completely. Filtering out elements can mitigate this. - Sometimes, a certificate organically grows so big that the user software [has problems handing it](https://www.reddit.com/r/GnuPG/comments/bp23p4/my_key_is_too_large/). -#### Implementations +#### Elements that can be omitted as part of a minimization process + +There are different types of elements that can be omitted during minimization: + +- Subkeys (along with signatures on those subkeys) +- Identity components (along with both their self-signatures and third-party signatures) +- Signatures, by themselves: + - Self-signatures that have been superseded by newer self-signatures for the same purpose + - Third-party certifications + +#### Minimization in applications + +##### Hagrid, which runs keys.openpgp.org + +The [hagrid keyserver software](https://gitlab.com/keys.openpgp.org/hagrid) doesn't publish the identity components in certificates by default. This is a central aspect of the [privacy policy](https://keys.openpgp.org/about/privacy) of the service. Certificates can be uploaded to the service by third parties, which is useful. However, identifying information is only distributed by the service on an explicit opt-in basis. + +Separately, third-party certifications are currently filtered out by the service, to avoid flooding attacks. + +##### GnuPG GnuPG [strips some signatures on key import](https://dev.gnupg.org/T4607#127792).