[PATCH v4] filter and verify keyserver responses

Jérôme Pinguet jerome at jerome.cc
Wed Jun 25 16:22:58 CEST 2014

On 20/10/2013 14:53, Stefan Tomanek wrote:
> This changes introduces import functions that apply a constraining
> filter to imported keys. These filters can verify the fingerprints of
> the keys returned before importing them into the keyring, ensuring that
> the keys fetched from the keyserver are in fact those selected by the
> user beforehand.
> It also prevents the accidental import of secret keys through key server
> responses.

Talking about import filters, is this already implemented or could it be

A filter that imports only keys authenticated by one or more given
key(s) (identified by its(their) fingerprint(s))?

If this kind of features do not fit in GnuPG's roadmap, maybe someone
has already implemented this outside of GnuPG?

The real life application is to secure even further a read only private
key server used within an organization. In case of compromise of the
keyserver, a user won't be able to download a rogue key that has not
been authenticated by the organization's key(s).


Jérôme Pinguet

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 726 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140625/c92ab788/attachment.sig>

More information about the Gnupg-devel mailing list