Keyserver doesn't honour signature removal
David Shaw
dshaw at jabberwocky.com
Tue Apr 21 06:39:01 CEST 2009
On Apr 13, 2009, at 5:23 AM, Sven Radde wrote:
> Hi!
>
> John Clizbe schrieb:
>> You can remove any cruft you wish and distribute that key yourself.
>> You
>> just can't use the keyserver networks to do it. Also anyone who
>> refreshes that key from a keyserver will pick up all the pieces you
>> decided needed deleting.
>
> If you distribute the key yourself, you can set a preferred keyserver
> flag on your key. You can have that point to, e.g.,
> http://yoursite.com/yourkey.asc and refreshes should be done from
> there
> (unless the other user changes "keyserver-options honor-keyserver-
> url").
>
> With PKA, you can even get automatic key retrieval without a
> keyserver.
That's not quite right. PKA records in DNS can point to a keyserver,
but you still need the keyserver in the mix somewhere (though, like
the "preferred keyserver" feature, that "keyserver" might be a key
stored on a web server).
You might be thinking of CERT. The CERT DNS record can store either a
URL like PKA does, or can store the whole key so you don't need a
keyserver. Of course, that can make for a pretty big DNS record...
CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS. PKA
is a different sort of thing - it's a pretty neat way to leverage the
ubiquity of DNS into a different trust model. It just happens that
both CERT and PKA can do the "DNS lookup to find a key" trick.
David
More information about the Gnupg-users
mailing list