Delete key from keyserver

Neil Williams linux at codehelp.co.uk
Sat Oct 22 20:31:54 CEST 2005 

On Saturday 22 October 2005 5:26 pm, B. Kuestner wrote:
> Wow, is it just me or does anybody else consider this a major design
> flaw of the whole setup?

It is actually a component of one of the major strengths - the web of trust.

1. It is made perfectly clear that you are the sole protector of your private 
key and if you still had your private key you could revoke the unused keys.

2. Revoked keys are valuable and should not be deleted from keyservers - the 
fact that a key has been revoked can be critically important.

3. Having lots of keys for (apparently) the same person is a GOOD thing as it 
explains, reinforces and encourages usage of the web of trust. It makes it 
less likely that anyone will be dumb enough to trust a key simply on the UID 
alone.

4. It is up to the user to decide when it is appropriate to send their key to 
a keyserver. If anything needs to change it is that the documentation should 
more strongly encourage users to test locally and only upload keys that they 
are proposing to use regularly - not test keys.

One thing I have considered is that if a keyserver receives a new key (rather 
than an updated one) it might be possible for a protocol change to ask the 
user if this key really should be uploaded. The keyserver might use such a 
change in the protocol to pass an error/result code to the gnupg program 
submitting the key, raising the warning and asking for confirmation. No idea 
how workable this might be.

5. These unused keys typically don't clutter up the web of trust either - 
again because they usually only have self-signatures so they can be excluded 
at the first step of the calculations. Only signatures made by someone else 
on your key are counted to the web of trust.

> - After decades of IT, how can one still design software that is
> absolutely unforgiving to people's stupidity in a critical area.

It is the fault of the users that there are so many unused keys on keyservers. 
However, this is NOT a critical area. The capacity of keyservers is not a 
problem - critical or otherwise. These unused keys are v.small because they 
rarely have more than a self-signature and one UID.

> That's like being able to close a window of unsaved work without
> being prompted to save.

No, it is more like not being reminded to not send junk to your website. It's 
not about "losing" anything, it is about the point at which your local data 
(the key) becomes public. You have simply copied a file to a remote location 
- you lose nothing by doing so.

> - It is so easy to make life miserable for somebody else. What would
> prevent me from picking any e-mail address that isn't mine and upload
> dozens of keys to the key servers, maybe even give them misleading
> comments like "current" etc.. If anybody were then looking for the
> public key to joesmith at hisdomain.com, there would be a useless mess
> of keys without telling which one is correct to use. And worst of
> all: Joe Smith has no way of fixing the situation, even if he is
> legitimate owner of the joesmith at hisdomain.com e-mail address.

That is exactly my point, NOBODY should rely on ANY of that information to 
identify a key. The only identifier for a key is the fingerprint. You MUST 
verify the fingerprint with the person and only then can you be sure that the 
key is for that person.

The web of trust enables such verification - if you can't meet me in person, 
you can verify my key by having your key signed by someone who has met me 
(there are lots).

Until that happens, you have no way of trusting that this key belongs to the 
named person. None. The signature simply means that the message has not been 
tampered since being signed.

> It strikes me, that GNU-supporters would bash MS (or for that reason
> any vendor of proprietary software) for dishing out once more a
> thoughtless, immature and insecure software design.

You've got the wrong end of the problem. This is about enhancing security by 
preventing people making wrong assumptions about key ownership simply from 
the public data on the key that can be so easily duplicated. You can only 
trust the fingerprint - which cannot be duplicated.

> I understand it must not be simple to revoke or disable keys.

It must be impossible for anyone but the key owner (or their appointed 
representative) to revoke a key. 

Any user can, however, mark a key in their keyring as disabled - it has no 
effect whatsoever on the keyserver copy, neither do you need the private key 
of that key to disable it locally.

> But it 
> shouldn't be impossible either, especially in the light of anybody's
> capability to put public keys under my name on the server.

It isn't. I could generate a key under your name at any time. The only way 
anyone can identify YOUR key is by getting the fingerprint identification 
from you.

Do NOT trust the UID until you can trust the fingerprint. If you don't have 
verification of the fingerprint, you cannot trust the key - at all. Zip. 
Zero.

> Am I missing something?

Yes, the web of trust and the benefits of keysigning.

-- 

Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20051022/92c55ef3/attachment-0001.pgp

More information about the Gnupg-users mailing list