Re: How to handle photoID on keyserver? (Re: photo support?)

David Shaw <> Tue, 02 July 2002 04:02 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id AAA15950 for <>; Tue, 2 Jul 2002 00:02:40 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by (8.11.6/8.11.3) id g623q3900807 for ietf-openpgp-bks; Mon, 1 Jul 2002 20:52:03 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with ESMTP id g623q2w00803 for <>; Mon, 1 Jul 2002 20:52:02 -0700 (PDT)
Received: (from dshaw@localhost) by (8.11.6/8.11.6) id g623pwu01980 for; Mon, 1 Jul 2002 23:51:58 -0400
Date: Mon, 1 Jul 2002 23:51:58 -0400
From: David Shaw <>
Subject: Re: How to handle photoID on keyserver? (Re: photo support?)
Message-ID: <>
References: <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560
X-Phase-Of-Moon: The Moon is Waning Gibbous (56% of Full)
User-Agent: Mutt/1.5.1i
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>

On Tue, Jul 02, 2002 at 11:16:11AM +0900, Hironobu SUZUKI wrote:

> 2) Privacy issue:
>   Someone who is not owner of that public key can put public key
>   with PhotoID into public keyserver.  And everyone can get someone's
>   public key with PhotoID.

Anyone can upload *any* public key to a keyserver or distribute it via
whatever means they like.  This is the same "risk" as someone
uploading a key with my email address on it.  If I do not want my
photograph (or email address, name, public key, etc.)  made public,
then... I should not make it public.

> I think that most OpenPGP users concern privacy issue.  Size issue
> become problem to some public keyserver sites.  From my experience,
> entire of storage size for handling public keysever may require 4
> times (or more) of whole of public keys. I mean if dump key size is
> 15GB, HDD size is required 60GB at least.
> In my opinion, if public key with photoID is submitted public
> keyserver, public keyserver remove photoID and related signature
> packets and store the remains of packates into database.

Any keyserver operator is free to do this.  Conversely, any keyserver
operator is free to not do this.  Some keyservers have been storing
keys with photo IDs on them for years.  Some keyservers have been
removing photo IDs for years[1].

Where's the problem?


[1] Admittedly, pksd removes photo IDs because it doesn't understand
    them, and not due to a design choice, but the effect is the same.

   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson