Suspect Signatures

David Shaw dshaw at
Tue Sep 23 17:38:05 CEST 2008

On Mon, Sep 22, 2008 at 02:42:19PM -0400, David Newman wrote:
> Hi there,
> I received a signature on my public key from an unknown key.  Is there a
> way that I can mark the signature as suspect, i.e. that I did not verify
> that this person verified my identity, in a way that can be re-uploaded
> to keyservers?

Alas, no.

There is a part of the OpenPGP spec, the keyserver no-modify flag,
that can be set to inform a keyserver that only the keyholder is
allowed to update the key on the keyserver.  GnuPG sets this flag by
default, but unfortunately no keyserver currently implements it, so
anyone can update a key on a keyserver if they like.  (The PGP
keyserver doesn't implement the flag, but it restricts updates to the
keyholder via other means).

That said, this is really an aesthetic problem, and not a trust
problem.  The web of trust ultimately takes care of bad signatures as
those people who issue them will eventually get marked as
untrustworthy.  I have a few mystery signatures on my key as well.  No
real harm - just ignore them.


More information about the Gnupg-users mailing list