adding and updating to keyservers

Brian Minton bminton@efn.org
Sat Sep 28 18:55:02 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Sep 26, 2002 at 11:02:18PM -0500, Newton Hammet wrote:
> I assume that updating the key with additional material (like someone
> signing my key), is done by the same processs under which the key was
> added as a new key.

You mean added to the keyserver?  yes, just do: 
gpg --keyserver some.key.server --send-keys 0xYOURKEYID

(if you don't have internet connectivity, you can do the following:
gpg -a --export 0xYOURKEYID > mypubkey.ask
then copy that file to one of the keyserver web interfaces.

> (that is deleting which is the problem, and that is what my various
> copies of a revoke cert are, and the cert itself can be uploaded to
> the keyserver, or do you have to revoke your public keylocally first
> and then upload the whole shootin match to the server?

when you make a revocation with gnupg, it is just a signature.  You have
to import it, which will add the revocation certificate to your public
key.  You can then repeat the steps to send the key to the keyservers

> Question 2:  how exactly do people sign my key so i can put the
> signatures on the keyserver, or, do other people do that? (sign the
> copy I have on the key server).  

They receive the key from the keyserver, then call you up (or meet in
person is even better) and verify the fingerprint of the public key that
they have is the same as the one that you have.  (extra signatures,
userids, etc do not affect the fingerprint) then they will do gpg
- --sign-key 0xYOURKEYID and then they can send it to the keyservers, then
you can get it back from the keyservers, and check their signature.

> The thing is, I know how to sign keys i put on my keyring.  I guess
> what i do if i want someone to sign my key I send it to them they add
> their signature, and send it back to me and then I send the whole
> shooting match up to the server (as an update to my key).  

yep.  The key that they get from the keyservers is the same as the key
that they get directly from you.  The only exceptions to this are keys
that have multiple subkeys, then some of the keyservers are known to
corrupt the key.  In most cases though this does not apply, as the
default is to only have one subkey.  Extra signatures on your key could
be considered "auxilliary" information, and can be safely added at a
later time without changing the core key. 

> 
> (i.e. i first re-import my public key with signatures back to my local
> keyring, check it out to make sure it hasn't been corrupted, and then
> re-export and send on up to server, all assuming of course that the
> public keyring is backed up prior to this.)

correct.

> So what I have above is questions pretty much in the form of
> assumptions...
> 
> Just all about putting the key out there being ready to revoke just in
> case, and, getting the key signed by others, and so on.  
> 
> Hopefully some volunteers will further illuminate me. and I set the
> outgoing wrap at 72 characters this time ... hope that helps.

I think you are doing everytihng correctly.  Good luck!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9lQ/WcieIIFcDdHIRAmwQAKDblgYOIZo6R7dH06gs9PMZfA6NMwCgsf5d
pE51cR6uSbtoJTfjKqF/YE4=
=+LYY
-----END PGP SIGNATURE-----