How to use preferred keyservers

David Shaw dshaw at jabberwocky.com
Mon May 31 03:38:02 CEST 2004 

So now that 1.3.6 is out and people are playing with it, here's some
info on preferred keyservers.  There are actually two uses for
preferred keyservers, but I'll cover the second use in a later mail.
Remember that preferred keyservers is a new feature in 1.3.6.  It does
not exist in 1.2.x.

The main idea behind preferred keyservers is that the key owner is
often the best person to decide how their key is distributed.  They
thus set a preferred keyserver on the key, and anyone who wants to
refresh the key can get it from there automatically.  Obviously, since
the preferred keyserver lives on the key itself, it doesn't help
anyone get the key for the first time (it's a chicken-and-the-egg
problem).

To use it:

  gpg --edit-key (yourkey)
  keyserver (theurl)

The preferred keyserver lives on the self-sig (along with the
expiration time, preferences, etc), so you will need to type your
passphrase so a new self-sig can be generated.  Note that like the
other data items that live on self-sigs, you can have a different
preferred keyserver per user ID.

The keyserver URL can point to a keyserver:

  hkp://subkeys.pgp.net
  ldap://keyserver.pgp.com

or it can be a HTTP URL:

  http://www.jabberwocky.com/key.asc

You can even point to CGIs on places like Biglumber:

  http://www.biglumber.com/x/web?pk=8B93F0C84A9E88B2CAB478DAA6112E1D14B0A058

It's fairly simple, but powerful.

Once there is a preferred keyserver set, anyone who does
--refresh-keys on your key will get it from the place you specified.
There is a keyserver-option named "honor-keyserver-url" that turns
this feature on and off.  It is on by default.

Caveats:

* For various unfortunate reasons, some versions of PGP interpret
  "preferred keyserver" as "Yes, I understand PGP/MIME email".  Not
  much we can do about that, but keep it in mind if you want a
  preferred keyserver and don't understand PGP/MIME mails.  The PGP
  versions that do this are the "PGP Universal" product, so if your
  correspondents use regular PGP 8, there should be no problem.

* There is a gotcha in that since the keyholder controls the keyserver
  URL, they can prevent people from revoking their signatures on the
  key by simply not updating their web page.  Note also that a stolen
  key has a similar problem - the thief can try and prevent the real
  owner from revoking the key.  There is no solution to this problem
  yet.

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 250 bytes
Desc: not available
Url : /pipermail/attachments/20040530/23c6518d/attachment-0001.bin

More information about the Gnupg-devel mailing list