Unwanted additions to Keys

L. Sassaman rabbi@quickie.net
Fri, 7 Jul 2000 12:04:30 -0700 (PDT)

Hash: SHA1

On 7 Jul 2000, Huels, Ralf KSV wrote:

> > You are mistaken. Anyone can add user-ids to any key. An implementation of
> > OpenPGP done correctly will ignore user-ids that do not have valid
> > self-signatures (IMHO), and you need the private key to make a
> > self-signature, but that doesn't stop someone from adding a user-id to a
> > key.
> Ok. I tried adding a UID to someones key in GnuPG before my last message
> and got a reject. I assumed that it was an OpenPGP feature but apparently
> itīs just a GnuPG feature.
> > Been done. There is an "owner-update-only" flag in OpenPGP that the user
> > can select, so that no one can update his key on the keyservers but
> > himself.
> I see. It does not seem to be widely advertised or even (as Werner pointed
> out) widely used by the servers.
Yep. Both of those issues are purely in the realm of theory. There are things that are possible with OpenPGP that are not permitted by certain (or all) implementations of OpenPGP. But there is nothing stopping you from writing your own hack that adds UIDs to other peoples keys (except that you would piss a lot of people off), or writing a patch to a keyserver so that the owner-update-only flag is treated properly. __ L. Sassaman System Administrator | Technology Consultant | "Credo quia absurdum." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Tertullian -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5ZinFPYrxsgmsCmoRAke8AKD1C1VGqq/f6aEIFLYk8b/h8+uikQCfXXPw ao6e/RiDGD0IcMddcxLTlIU= =mvb8 -----END PGP SIGNATURE-----