Import a pubkey sans self-sig?

Yenot yenot@sec.to
Tue Apr 8 20:25:01 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 08 April 2003 01:14 am, David Shaw wrote:
> On Mon, Apr 07, 2003 at 03:59:03PM -0400, gabriel rosenkoetter wrote:
> > I'd like to encipher things to keyid 75E4988D (seems to be on
> > wwwkeys.pgp.net)... but GnuPG simply refuses to import it because
> > it's lacking a self-signature.
> >
> > pgp 6.5.2 (yeah, I know, but this is a long-standing production
> > process at work that I'm trying to update) has no trouble with this
> > key.
> >
> > --expert doesn't help and we don't have a --force...
>
> --allow-non-selfsigned-uid

I was shocked that non-self-signed UID's were allowed at all.
The only reason I can think of for such a UID, would be to
annotate a local key that you don't own.  (Just as local
signatures are used for localized key annotation.)  I decided
to run some tests.  Others may be interested in the results:

GnuPG 1.2.1
- -----------
  gpg --import key.asc
  This command *silently* ignores unsigned UID's.

  gpg --import --allow-non-selfsigned-uid key.asc
  This command imports unsigned UID's, but warns the user about
  the unsigned UID's.

  gpg -o key.asc --export test@test.com
  This command exports *all* UID's.  No warning is given about
  the unsigned UID's.

PGP 8.02
- --------
  Imports and exports unsigned UID's.  Unsigned UID's are annotated
  as being *revoked*. ldap://keyserver.pgp.com also accepts unsigned
  UID's.  This means one could [for example] add porn site
  advertisements and humorous but annoying photo UID's to an enemy's
  key.  ... advertisements are probably only a matter of time if
  the problem isn't fixed.

 - Yenot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+krxQP247TY29IxARAvuGAKCS0y1QXELN31uhmhzclmIEaLU+PgCgnLVK
Ed0FhHSUadI2ALgXA+4Xrbg=
=MM0r
-----END PGP SIGNATURE-----