Allowing import of pubkeys without User ID
andrewg at andrewg.com
Fri Jan 13 16:13:20 CET 2023
On 13 Jan 2023, at 14:30, Werner Koch <wk at gnupg.org> wrote:
> On Fri, 13 Jan 2023 12:15, Andrew Gallagher said:
>> system) to keep trying the other methods. But if we get a “key
>> revoked” error, then we have a definite answer and can stop
>> looking. The client-side/user behaviour changes depending on the
> You can't stop because you would trust the statement from the keyserver.
> Which is not what keyservers are made for. Thus even after you get a
> revoked status from a keyserver you need to fetch the public key and
> verify the revocation certificate.
This is exactly my proposal. If the keyserver were able to return the key packet(s) and the relevant signature(s), then a client could verify the revocation sig immediately, and stop processing. A UserID is not necessary if the lookup was made for a fingerprint.
>> a self-sig, it makes sense to allow self-sigs and their primaries to
>> be distributed regardless of whether they are “usable” in a
>> client-side sense.
> You can do between the keyservers whatever you want. If you want to
> validate the keyblock you need the user id and need to verify the
> self-sig before you allow fetching that keyblock (maybe restricted to
> the requested user id)
One can validate a direct signature over a primary key without processing any UserIDs.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: Message signed with OpenPGP
More information about the Gnupg-devel