Re: How to handle photoID on keyserver? (Re: photo support?)

"Michael Young" <> Tue, 02 July 2002 05:11 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id BAA16934 for <>; Tue, 2 Jul 2002 01:11:32 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by (8.11.6/8.11.3) id g624xDp02577 for ietf-openpgp-bks; Mon, 1 Jul 2002 21:59:13 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with ESMTP id g624x1w02571 for <>; Mon, 1 Jul 2002 21:59:11 -0700 (PDT)
Received: from mwyoung ([]) by (Netscape Messaging Server 4.15 smtprelay7 Dec 7 2001 09:58:59) with SMTP id GYLV6C01.R49 for <>; Tue, 2 Jul 2002 00:59:00 -0400
Message-ID: <000f01c22185$20950800$>
From: "Michael Young" <>
To: <>
References: <>
Subject: Re: How to handle photoID on keyserver? (Re: photo support?)
Date: Tue, 2 Jul 2002 00:58:35 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
Content-Transfer-Encoding: 7bit

Hash: SHA1

Subject: Re: How to handle photoID on keyserver?  (Re: photo support?) 

PGP doesn't use images anywhere near this size.  David Shaw
suggested that GnuPG will accept any size image, but even so,
I doubt that many people will attach such a large image
to their key.  [I might suggest that GnuPG refuse large
images by default, perhaps overridden with its "-expert" flag.]

I'd also guess that a 3% usage rate is very high.  The vast
majority of the keys on the public servers don't have any
signatures (other than self-).

>   Someone who is not owner of that public key can put public key
>   with PhotoID into public keyserver.  And everyone can get someone's
>   public key with PhotoID.

Yes, anyone can post a key claiming any identity.  This is
really nothing new.

If you're worried about people attaching bogus identities to
established keys, your keyserver could reject those without
self-signatures.  (Most of the keyservers do no verification
at all right now, so this would be a significant change.)

And yes, you could reject photoID packets (and any associated
signatures) if you think size is a problem.  (Even if you
reject them, I would encourage you to leave them in your
sync stream to other keyservers, as they may have a more
permissive policy.)

> I mean if dump key size is 15GB, HDD size is required 60GB at least.

I'm curious as to why this would be.  I can understand some
blowup because of indexing structures, but since you aren't
indexing the photoID packets anyway, I wouldn't expect the
same factor you have now.

Version: PGP Personal Privacy 6.5.3