checking up on one's public key

David Shaw dshaw@jabberwocky.com
Fri Jun 14 14:42:02 2002


On Thu, Jun 13, 2002 at 07:39:02AM -0500, David T-G wrote:
> Hi, all --
> 
> When discussing key sharing and keyservers with someone off-list I
> demonstrated a lookup by searching for my own key.  I wasn't surprised to
> find it or some of the sigs on it, but I *was* surprised to see what had
> been added.  It never occurred to me that someone would sign my key and
> not drop me a note, but there they were!

It's not unheard of, but not exactly common either.  It could be an
error with someone picking your key to test on and accidentally
uploading it to the server afterwards.  Famous people tend to get it
more: Phil Zimmermann has signatures from 'president@whitehouse.gov'
and 'vice-president@whitehouse.gov' ;)

OpenPGP actually has a flag to say essentially "don't accept updates
to my key on the keyserver unless they come from ME".  GnuPG does set
this flag, but none of the current HKP keyservers uses it.  I'm not
sure if the LDAP keyserver does - does anyone know for sure?  It's a
hard feature to support since it means you need some sort of
authentication between the user and the keyserver which complicates
things quite a bit.  The LDAP keyserver already has this
authentication, of course.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson