Keyserver doesn't honour signature removal

David Shaw dshaw at
Tue Apr 21 06:39:01 CEST 2009

On Apr 13, 2009, at 5:23 AM, Sven Radde wrote:

> Hi!
> John Clizbe schrieb:
>> You can remove any cruft you wish and distribute that key yourself.  
>> You
>> just can't use the keyserver networks to do it. Also anyone who
>> refreshes that key from a keyserver will pick up all the pieces you
>> decided needed deleting.
> If you distribute the key yourself, you can set a preferred keyserver
> flag on your key. You can have that point to, e.g.,
> and refreshes should be done from  
> there
> (unless the other user changes "keyserver-options honor-keyserver- 
> url").
> With PKA, you can even get automatic key retrieval without a  
> keyserver.

That's not quite right.  PKA records in DNS can point to a keyserver,  
but you still need the keyserver in the mix somewhere (though, like  
the "preferred keyserver" feature, that "keyserver" might be a key  
stored on a web server).

You might be thinking of CERT.  The CERT DNS record can store either a  
URL like PKA does, or can store the whole key so you don't need a  
keyserver.  Of course, that can make for a pretty big DNS record...

CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS.  PKA  
is a different sort of thing - it's a pretty neat way to leverage the  
ubiquity of DNS into a different trust model.  It just happens that  
both CERT and PKA can do the "DNS lookup to find a key" trick.


More information about the Gnupg-users mailing list