Delete key from keyserver

Bob Henson bob.henson at galen.org.uk
Sun Oct 23 18:16:43 CEST 2005



David Shaw wrote:
> On Sat, Oct 22, 2005 at 06:26:51PM +0200, B. Kuestner wrote:
> 
>> all: Joe Smith has no way of fixing the situation, even if he is  
>> legitimate owner of the joesmith at hisdomain.com e-mail address.
>> 
>> It strikes me, that GNU-supporters would bash MS (or for that reason  
>> any vendor of proprietary software) for dishing out once more a  
>> thoughtless, immature and insecure software design.
>> 
>> I understand it must not be simple to revoke or disable keys. But it  
>> shouldn't be impossible either, especially in the light of anybody's  
>> capability to put public keys under my name on the server.
>> 
>> Am I missing something?
>> 
>> >It's an inherent scaling problem of the keyserver net.  I've
>> >seen estimates that the majority of the keys on the keyserver net are
>> >not used for one reason or another, but can't be deleted.  Even with
>> >the garbage keys, the keyserver database isn't too large to be served
>> >though.
>> 
>> Well, my issue is not so much with the keyservers. I guess with  
>> faster and more hardware this scheme could be maintained for decades.
>> 
>> But if the keyservers are not directories to look up public keys,  
>> then what are they? And if they are meant as directories, how good  
>> are they if they are flooded with garbage keys.
>> 
>> >The PGP company is running a different sort of keyserver at
>> >http://keyserver.pgp.com.  This type of keyserver allows you to remove
>> >keys if you can prove (by answering an email challenge) that you have
>> >access to the email address on the key.  This keyserver obviously does
>> >not synchronize with the others, however.
>> 
>> Can gpg use this keyserver? It is listed in the settings of my MacPG.  
> 
> GPG can use this keyserver.  Just set:
> 
>   keyserver ldap://keyserver.pgp.com
> 
> in your gpg.conf file (or whatever GUI you happen to be using).
> 
>> Is using this server recommendable for everybody?
> 
> This is a harder question.  I would unhesitatingly recommend it for
> beginning users.  It's also useful for any level user who wants to
> simplify the whole key selection process - it guarantees there is only
> one key per email address.  If you want to mail to a particular
> address, there is no question which is the "right" key, as there is
> only the one key there.
> 
> I believe it is also the default keyserver for PGP users.
> 
> Some people do not like this server as it does email address
> verification (via sending a mail to the email address on the key, if
> any), and then signs the key.  These signatures are reissued every 2
> weeks or so if people keep requesting the key.  The list of signatures
> can get long.  Both PGP and GPG have features to delete the expired
> ones.
> 
> David

That's not the only reason though. The PGP Global Keyserver is dangerous, as
well as a nuisance, for a number of reasons. As it only shows one key on a
search for a users name, it might cause people to miss a revoked key and
continue using it. Similarly, because it doesn't synchronise with other
servers, such a key could be missed. My key was on there because I tried PGP
9.x and it puts it there without asking - most undesirable in itself - but
at least by ignoring the requests to repeat the e-mail verification it
should have been removed by now. The "verification" is dangerous in itself,
since people may rely on the server signature for trust - which is not a
good idea for obvious reasons - anyone could upload a key from a particular
address, and e-mail verification *alone* is of little value. If anyone
*does* use it, whatever you do *don't* sign the PGP verification key, as it
will impart an unwarranted trust to other keys signed with the same key. My
advice (shared by many more knowledgeable than I) would be to steer clear of
it at all costs.


Regards,

Bob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20051023/1b8c38d7/signature.pgp


More information about the Gnupg-users mailing list