On Mon, Nov 22, 2004 at 16:35:51 +0100, Henk P. Penning wrote:
Hi,
Hello,
some organisations use a 'corporate key' to sign stuff ; for example 'spamassessin'. Such keys are signed by the board, but the key signs nothing. I think that is reasonable.
So do I.
The problem is, such a 'corporate key' is not in the strong set.
Yes, that is a problem.
How do you feel about extending WOT's to the 'reachable set' ?
I'd like it, and I know many more people would too.
-- not much bigger ; I guess some 41000 keys
True.
-- you must extract the 'reachable set' anyway to compute the 'strong set' (that's true, isn't it ??)
But this is unfortunately wrong. :(
To compute the strong set you need to compute the _reaching_ set, not the reachable set. The only thing we can get from a key is who has signed that key, not what keys it has signed. Your corporate key hasn't signed any other key, so no other key shows any trace of that key. To find the key you'll have to search through all keys on the server.
In the FAQ I'm compiling I have written this:
Why not include the whole reachable or reaching set?
One might imagine including the largest strongly connected set plus the set of keys that can reach that set. However, the advantages are very small. A key owner in that situation has probably just signed a few keys that can be used to reach the rest, and can do searches from those keys instead. Furthermore, including the reaching set will encourage people to sign a random key just to be included.
Including the reachable set is a better idea. However, due to techical reasons regarding the way the key information is extracted, that is much more complicated. The reachable set will probably be included some time in the future. As soon as anyone writes the code to do it.
I also wrote this in reply to a similar question some time ago:
Right now I start with some keys known to be in the large SCS and follow the signatures. This gives me the whole set of keys that can reach the large SCS. I then filter out just the large SCS. Getting the reachable set in a similar way would require looking at each and every key, which would be hard to do once every day. The only realistic solution I can think of right now is to look through every key once and build a database of all signatures, and each day look at all keys changed or added since the last update and update the signature database, go through all keys in the signature database to see if they are still on the key server, and lastly create a .wot file from the signature database. That would actually be quite fast. If someone implements it, I'll use it.
I haven't really thought it through though, so there might be some bug somewhere.
BTW, just a reminder to all of you: Wednesday next week is 2004-12-01, the day we will move to the new file format: http://www.lysator.liu.se/~jc/wotsap/wotfileformat-0.2.txt
Regards, Jörgen