How to remove 'unwanted' sig from my public key?
Len Sassaman
rabbi@quickie.net
Fri Oct 5 23:33:01 2001
On Fri, 5 Oct 2001, Nick Andriash wrote:
> Bear with me for a minute Len: I presume that the flag set by GnuPG (and
> hopefully one day by PGP) works in concert with the inherent ability of
> the KeyServer itself to recognise that flag? I have looked at RFC 2440
> but on initial glance, it's somewhat technical nature makes it difficult
> for me to read the relevant section that defines those flags. Can you
> point me to that section, and/or give a very quick explanation as to
> what that flag entitles the Key Owner to do or not do?
I don't know the section number off the top of my head, and don't have the
time right now to look it up (but it is in the signature subpacket
section).
Basically, if this subpacket is set no-modify=yes in the self sig, the key
server will reject updates to the key that do not come from the key owner.
(So, if you want to add other people's signatures to your key, you would
need them to sign the key, and provide you a copy of the signed key. You
would then submit it to the key server yourself.)
(We're working on a key server Internet Draft. I assume your next question
is "how does the key server verify ownership." That is up to the
implementation. NAI's Keyserver 7.0 uses the LDAPS connection, extablished
with the primary key in question, to do this.)
So, in order to use this feature, you need the bit set on your key (which
you can do with GnuPG. Once it is set, it doesn't matter what your primary
PGP application is.) You also need to be using key servers that recognise
this function. So far, NAI's implementation is the only one that does so.
--Len.