Allowing import of pubkeys without User ID

Andrew Gallagher andrewg at
Fri Jan 13 16:13:20 CET 2023

On 13 Jan 2023, at 14:30, Werner Koch <wk at> wrote:
> On Fri, 13 Jan 2023 12:15, Andrew Gallagher said:
>> system) to keep trying the other methods. But if we get a “key
>> revoked” error, then we have a definite answer and can stop
>> looking. The client-side/user behaviour changes depending on the
> You can't stop because you would trust the statement from the keyserver.
> Which is not what keyservers are made for.  Thus even after you get a
> revoked status from a keyserver you need to fetch the public key and
> verify the revocation certificate.

This is exactly my proposal. If the keyserver were able to return the key packet(s) and the relevant signature(s), then a client could verify the revocation sig immediately, and stop processing. A UserID is not necessary if the lookup was made for a fingerprint.

>> a self-sig, it makes sense to allow self-sigs and their primaries to
>> be distributed regardless of whether they are “usable” in a
>> client-side sense.
> You can do between the keyservers whatever you want.  If you want to
> validate the keyblock you need the user id and need to verify the
> self-sig before you allow fetching that keyblock (maybe restricted to
> the requested user id)

One can validate a direct signature over a primary key without processing any UserIDs.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Gnupg-devel mailing list