deluid // follow-up
vedaal at hush.com
vedaal at hush.com
Wed Aug 10 23:46:01 CEST 2005
after looking at the deluid some more,
found that any user's uid can be deleted from the public key,
and that this appears to be open-pgp behavior
this can be useful when someone has many outdated uid's,
and the user wants only the one with the current 'real' e-mail
address,
and wants to delete all the other ones
still,
this could lead to some abuse,
since a user could intentionally delete the 'real' uid from
someone's public key, leave an outdated one,
and either publicly post the key , or upload that key to a new
keyserver that did not have it before,
and an unsuspecting user, verifying that key with its signatures
and fingerprint,
receives misleading information about the key
wouldn't it be better
where the deluid could be 'local only/non-exportable'
for user convenience,
but would require a key-owner to make deletions
(obviously cannot be implemented retro-actively,
but maybe whenever the keyserver system is modified,
it might be another issue to consider)
tia,
vedaal
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
More information about the Gnupg-users
mailing list