deluid // follow-up

vedaal at vedaal at
Wed Aug 10 23:46:01 CEST 2005

after looking at the deluid some more,

found that any user's uid can be deleted from the public key,
and that this appears to be open-pgp behavior

this can be useful when someone has many outdated uid's,
and the user wants only the one with the current  'real' e-mail 
and wants to delete all the other ones


this could lead to some abuse,
since a user could intentionally delete the 'real' uid from 
someone's public key, leave an outdated one,
and either publicly post the key , or upload that key to a new 
keyserver that did not have it before,

and an unsuspecting user, verifying that key with its signatures 
and fingerprint,
receives misleading information about the key

wouldn't it be better
where the deluid could be 'local only/non-exportable'
for user convenience,
but would require a key-owner to make deletions
(obviously cannot be implemented retro-actively,
but maybe whenever the keyserver system is modified,
it might be another issue to consider)



Concerned about your privacy? Follow this link to get
secure FREE email:

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program:

More information about the Gnupg-users mailing list