Keyserver doesn't honour signature removal

Sven Radde email at
Tue Apr 21 07:31:21 CEST 2009


David Shaw schrieb:
>> With PKA, you can even get automatic key retrieval without a keyserver.
> That's not quite right.  PKA records in DNS can point to a keyserver,
> but you still need the keyserver in the mix somewhere (though, like the
> "preferred keyserver" feature, that "keyserver" might be a key stored on
> a web server).

True, you still need some kind of server (one might argue that even
using CERT, you have a 'keyserver' - the DNS server itself).
The notable difference, however, is that a web server presents my key
exactly as *I* desire, allowing for removed signatures, replacing the
key by a new one etc.
PKA is the way to get somebody to use my web server already for initial
key retrieval (although this might not be the primary purpose of PKA) so
that the (synchronizing merge-only) keyserver network is avoided.

> CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS.

Unfortunately, my provider does not allow me to set CERT type DNS
records. TXT is possible (for, e.g., SPF and PKA).
I will ask whether they can do it (since it appears to be natively
supported in BIND 9, right?)

cu, Sven

More information about the Gnupg-users mailing list