Keyserver doesn't honour signature removal
dshaw at jabberwocky.com
Tue Apr 21 17:22:51 CEST 2009
On Apr 21, 2009, at 1:44 AM, Faramir wrote:
> Sven Radde escribió:
>> PKA is the way to get somebody to use my web server already for
>> key retrieval (although this might not be the primary purpose of
>> PKA) so
>> that the (synchronizing merge-only) keyserver network is avoided.
> But if somebody, by mistake or on purpose uploads your key to a
> "normal" keyserver...
If your preferred keyserver field points to the web server, that would
tend to (eventually) remove the normal keyserver from the equation.
That way, if they find your key via the keyserver, then they'll still
(assuming they haven't changed the default configuration) end up at
your web site at refresh time.
Personally, I don't worry too much about it. Given the client-centric
design of OpenPGP, there will always be ways to get the key from the
wrong place. When I update my key, I send it to the keyservers, and
stick it on my web site. Whichever the person hits is fine with me
(or put another way, it's not as if I have a choice in the matter, so
I may as well be fine with it).
What does worry me about the keyserver situation is that it is
confusing for the newcomer to OpenPGP: there are several different
round-robin keyserver setups (with different semantics between them!),
there are some servers that still can't cope with subkeys, there is
confusion on whether a syncing server is necessary or not, etc. This
is visible every time someone asks a keyserver question on this list:
each response gives a different recommended server.
More information about the Gnupg-users