Delete key from keyserver
linux at codehelp.co.uk
Sat Oct 22 20:31:54 CEST 2005
On Saturday 22 October 2005 5:26 pm, B. Kuestner wrote:
> Wow, is it just me or does anybody else consider this a major design
> flaw of the whole setup?
It is actually a component of one of the major strengths - the web of trust.
1. It is made perfectly clear that you are the sole protector of your private
key and if you still had your private key you could revoke the unused keys.
2. Revoked keys are valuable and should not be deleted from keyservers - the
fact that a key has been revoked can be critically important.
3. Having lots of keys for (apparently) the same person is a GOOD thing as it
explains, reinforces and encourages usage of the web of trust. It makes it
less likely that anyone will be dumb enough to trust a key simply on the UID
4. It is up to the user to decide when it is appropriate to send their key to
a keyserver. If anything needs to change it is that the documentation should
more strongly encourage users to test locally and only upload keys that they
are proposing to use regularly - not test keys.
One thing I have considered is that if a keyserver receives a new key (rather
than an updated one) it might be possible for a protocol change to ask the
user if this key really should be uploaded. The keyserver might use such a
change in the protocol to pass an error/result code to the gnupg program
submitting the key, raising the warning and asking for confirmation. No idea
how workable this might be.
5. These unused keys typically don't clutter up the web of trust either -
again because they usually only have self-signatures so they can be excluded
at the first step of the calculations. Only signatures made by someone else
on your key are counted to the web of trust.
> - After decades of IT, how can one still design software that is
> absolutely unforgiving to people's stupidity in a critical area.
It is the fault of the users that there are so many unused keys on keyservers.
However, this is NOT a critical area. The capacity of keyservers is not a
problem - critical or otherwise. These unused keys are v.small because they
rarely have more than a self-signature and one UID.
> That's like being able to close a window of unsaved work without
> being prompted to save.
No, it is more like not being reminded to not send junk to your website. It's
not about "losing" anything, it is about the point at which your local data
(the key) becomes public. You have simply copied a file to a remote location
- you lose nothing by doing so.
> - It is so easy to make life miserable for somebody else. What would
> prevent me from picking any e-mail address that isn't mine and upload
> dozens of keys to the key servers, maybe even give them misleading
> comments like "current" etc.. If anybody were then looking for the
> public key to joesmith at hisdomain.com, there would be a useless mess
> of keys without telling which one is correct to use. And worst of
> all: Joe Smith has no way of fixing the situation, even if he is
> legitimate owner of the joesmith at hisdomain.com e-mail address.
That is exactly my point, NOBODY should rely on ANY of that information to
identify a key. The only identifier for a key is the fingerprint. You MUST
verify the fingerprint with the person and only then can you be sure that the
key is for that person.
The web of trust enables such verification - if you can't meet me in person,
you can verify my key by having your key signed by someone who has met me
(there are lots).
Until that happens, you have no way of trusting that this key belongs to the
named person. None. The signature simply means that the message has not been
tampered since being signed.
> It strikes me, that GNU-supporters would bash MS (or for that reason
> any vendor of proprietary software) for dishing out once more a
> thoughtless, immature and insecure software design.
You've got the wrong end of the problem. This is about enhancing security by
preventing people making wrong assumptions about key ownership simply from
the public data on the key that can be so easily duplicated. You can only
trust the fingerprint - which cannot be duplicated.
> I understand it must not be simple to revoke or disable keys.
It must be impossible for anyone but the key owner (or their appointed
representative) to revoke a key.
Any user can, however, mark a key in their keyring as disabled - it has no
effect whatsoever on the keyserver copy, neither do you need the private key
of that key to disable it locally.
> But it
> shouldn't be impossible either, especially in the light of anybody's
> capability to put public keys under my name on the server.
It isn't. I could generate a key under your name at any time. The only way
anyone can identify YOUR key is by getting the fingerprint identification
Do NOT trust the UID until you can trust the fingerprint. If you don't have
verification of the fingerprint, you cannot trust the key - at all. Zip.
> Am I missing something?
Yes, the web of trust and the benefits of keysigning.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20051022/92c55ef3/attachment-0001.pgp
More information about the Gnupg-users