[OT] New keyserver

disastry at saiknes.lv disastry at saiknes.lv
Tue Sep 24 23:36:02 CEST 2002

Hash: RIPEMD160

Jan-Benedict Glaw wrote:
> On Mon, 2002-09-23 16:48:22 +0200, disastry at saiknes.lv <disastry at saiknes.lv>
> wrote in message <3D8F29B6.ECB9E13 at saiknes.lv>:
> > keyserver does not need to sign keys,
> > however it would be nice if it could verify signatures, so that it can reject
> > userids without valid selfsig.
> Seems I don't get the point. What's wrong with UIDs without
> self-signatures? Though, they're *not* what you think about them (being
> "valid" UIDs), but technically, everybody can attach any UIDs to any
> key.

yes, and exactly that is wrong.
can you tell any legitimate reason to allow everybody attach any UIDs to any key?
key 0x00BBAA09 (on servers) shows it very well.

> ...and GnuPG doesn't trust UIDs without self-signatures, so
> everything is okay (from my point of view).
> What could be said is that it would be a nice feature to not transmit
> UIDs with missing self-sigs, because they're a) not worth anything and
> b) probably the result of bad kiddies. Am I wrong here?

no, but it's easier to reject them when importing, and result is the same, IMHO.
(and you need to check sign only once - when importing, not every time - when transmitting).

well.. maybe there could be exception - for keys with only one (and unsigned) UID - they may be accepted.

Disastry  http://disastry.dhs.org/
Version: Netscape PGP half-Plugin 0.15 by Disastry / PGPsdk v1.7.1


More information about the Gnupg-devel mailing list