[openpgp-email] Keyservers and GDPR

Werner Koch wk at gnupg.org
Wed Nov 7 10:08:19 CET 2018

On Tue,  6 Nov 2018 17:57, vb at pep-project.org said:

> I'm not of the opinion that key servers are a good idea at all. It's
> a pity that people still follow this wrong idea.

Keyservers are used for several purposes:

1. Search for keys based on the fingerprint ("gpg --recv-key FPR")
2. Search for key recovations ("gpg --refresh-key")
3. Search for keys based on the user id.  (e.g. "gpg --search-key")
4. As a distribution medium for key signatures.
5. As a distributed and searchable storage.

The first two purposes are quite useful because they allow to verify
signatures made by yet unknown keys. Retrieving the keys is no data
privacy problem because by signing and sending a mail the sender has
already provided all these information.  There is nothing which can
replace these purposes because a key does not necessary need to have a
mail address and even if so, any mail address based lookup can fail
after the mail address is not longer in use, the account has been
disabled, etc.  Fingerprints are are globally unique and need not be
associated with a mail address.

Purpose 3 is what we call key discovery and indeed keyservers are the
wrong way to do this.  In most cases we want to map a mail address to a
key and have some kind of reliable mapping.  Keyservers which are just a
pile of keys don't allow for this.  Back then when encryption was young
and the internet was a friendly place search for keys worked in most
cases.  But the times have changed and the bona fide search is useless.

Purpose 4, distribution of key signatures, worked as long as people
didn't used the key listings of the server or tools for more or less
funny messages.  Uploading key signature should be possible only by the
holder of the key.  However, to enforce this the keyservers need to
employ real crypto and won't be a lean service anymore.  I think the
distribution of keyservers, for those who still want to use the WoT,
can be replaced by sending the signed keys only back to owner.  In fact
tools like caff suggest this use case.

Purpose 5 is not relevant for OpenPGP key distribution and actually the
reason why the keyserver network has more or less broken down.

My suggestion is limit the keyservers to the purposes 1 and 2.  This
can in practice easily be done by removing the search by user-id
interface form the keyservers and, on the client site, by discovering
keys using other methods (e.g. Web Key Directory).  Having no searchable
interface to the keyservers make them less attractive for abuse (as in
purpose 5) and avoid some privacy issues (white pages without user

It is likely that gpg will eventually change its --search-key command to
do the equivalent of --locate-key but without checking the local



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20181107/6fbdbe1d/attachment.sig>

More information about the Gnupg-devel mailing list