Allowing import of pubkeys without User ID
Werner Koch
wk at gnupg.org
Fri Jan 13 15:30:00 CET 2023
On Fri, 13 Jan 2023 12:15, Andrew Gallagher said:
> system) to keep trying the other methods. But if we get a “key
> revoked” error, then we have a definite answer and can stop
> looking. The client-side/user behaviour changes depending on the
You can't stop because you would trust the statement from the keyserver.
Which is not what keyservers are made for. Thus even after you get a
revoked status from a keyserver you need to fetch the public key and
verify the revocation certificate.
> a self-sig, it makes sense to allow self-sigs and their primaries to
> be distributed regardless of whether they are “usable” in a
> client-side sense.
You can do between the keyservers whatever you want. If you want to
validate the keyblock you need the user id and need to verify the
self-sig before you allow fetching that keyblock (maybe restricted to
the requested user id)
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20230113/6eb824ce/attachment.sig>
More information about the Gnupg-devel
mailing list