[OT] Re: useless test keys and keyservers

David Shaw dshaw at jabberwocky.com
Tue Mar 1 19:47:29 CET 2005


On Tue, Mar 01, 2005 at 07:32:27PM +0100, Erwan David wrote:
> Le Tue  1/03/2005, Melissa Reese disait
> > Hi Stewart,
> > 
> > On Tuesday, March 01, 2005, at 9:12:29 AM PST, you wrote:
> > 
> > > Well, it appears that someone (not me!) has submitted your key to a
> > > keyserver for you. (Paraphrasing a famous quote) Whilst I don't
> > > agree with your views on keyservers, I support your right to have
> > > them. If it wasn't you that submitted it I think this is bad form
> > > for whoever did it. :-(
> > 
> > Yes, one of my greatest disappointments with the current keyserver
> > system is the ability of anyone to upload anyone else's keys.  I have
> > several keys, associated with several different accounts, and while
> > I've uploaded *one* of them to the keyservers myself, the rest were
> > uploaded by others.  In some cases, after they've signed my keys with
> > exportable signatures, though they don't know me, or my association
> > with certain keys from a hole in the ground.  Is that really "good
> > practice" in terms of "web of trust"?
> 
> There are 2 keys on keyservers which bear my name, but which I do not
> own. Worse they are signed by several keys bearing the name of people
> who know me, but those keys do not belong to them either.

This reminds me of something that happened back in the PGP 2 days.
The web of trust was a lot smaller than it is today, and someone took
it upon themselves to duplicate it by making all the keys themselves,
and recreating the various inter-key links to match the real web.

> However, if checks are done carefullly, nobody can trace those keys to
> me through a sensible chain of signatures, leading to a personnally
> verified key ownership.

Yes.

David



More information about the Gnupg-users mailing list