Vandalizing keyserver UID's

Fri Apr 25 05:52:12 CEST 2008

Greetings,

This evening I've been working on stamping old public keys (long  
since lost the secret key) with a bogus UID to inspire people to  
avoid trying to use them.  I'm curious as to how I can tell the UID  
is fake.  For example, here is the GPG output of --list-keys for one  
of the keys I branded:

pub   1024D/DF71515D 2000-02-21
uid                  David Stults <dstults at integratelecom.com>
sig          DF71515D 2000-02-21  David Stults  <dstults at integratelecom.com>
uid                  DO NOT USE THIS KEY!
sig          DF71515D 2000-02-21  David Stults  <dstults at integratelecom.com>
sub   2048g/78B9A888 2000-02-21
sig          DF71515D 2000-02-21  David Stults  <dstults at integratelecom.com>

That seems to imply that even the bogus UID (the second one, as you  
may have guessed ;-)) is in fact signed.

The keyserver displays it differently, but seems to make the same  
assertion:

uid DO NOT USE THIS KEY!
sig  sig   DF71515D 2000-02-21 __________ __________ [selfsig]

uid David Stults <dstults at integratelecom.com>
sig  sig   DF71515D 2000-02-21 __________ __________ [selfsig]

sub  2048g/78B9A888 2000-02-21
sig sbind  DF71515D 2000-02-21 __________ __________ []

Forgive me I've just been obtuse.  It isn't making sense to me, and  
I'd like it to.  I want to be able to look at a public key and  
determine if any bogus UID's have been added to it.  The only thing  
I've noticed is that my newer keys say "sig 3", while the older ones  
don't have a certification level given.

Thanks!
Dave

---
David Stults

PGP Key 0x97715d12
http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0x97715D12

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080424/71a6ed54/attachment-0001.htm>