Bogus Key on Keyservers

Tad Marko tad at tadland.net
Fri Oct 14 16:51:22 CEST 2005


On Thu, Oct 13, 2005 at 09:39:00PM -0700, Eric wrote:
> On Thu, 2005-10-13 at 13:26 -0500, Tad Marko wrote:
> > If someone creates a key that LOOKS like I created it (my name and
> > email address) and uploads it to the keyservers, how can I either get
> > rid of it or somehow flag my own key in such a way that it is clear
> > which is the real one?
> 
> You can't. That's like asking how you can stop other people from
> printing out badges that say "I am Tad Marko" and pinning them to their
> shirts.

I'm not asking for that. I want them to not say that a given key goes
to tad at tadland.net.

> Besides, if you could do that, what would stop someone else from
> deleting YOUR key off of the keyserver or flagging THEIR key as the real
> Tad Marko?

An email verification step?

> It sounds like your real concern is how you can stop your friends from
> inadventently getting the wrong key and accidentally encrypting messages
> to someone pretending to be you.

Close...I simply want to minimize confusion.
 
> GPG and PGP don't care about names -- they only care about public keys.
> If you want someone to be able to send a message to the right person,
> you need to make sure they're encrypting it with the right public key. 
> 
> You do this by telling them your key's signature before they go looking
> on the keyserver.

Right. But, an email verified mechanism for removing keys stamped with
an email address seems like an important omission from the key server system.

Tad



More information about the Gnupg-users mailing list