Keyserver doesn't honour signature removal

David Shaw dshaw at jabberwocky.com
Tue Apr 21 17:22:51 CEST 2009


On Apr 21, 2009, at 1:44 AM, Faramir wrote:

> Sven Radde escribió:
>
>> PKA is the way to get somebody to use my web server already for  
>> initial
>> key retrieval (although this might not be the primary purpose of  
>> PKA) so
>> that the (synchronizing merge-only) keyserver network is avoided.
>
>  But if somebody, by mistake or on purpose uploads your key to a
> "normal" keyserver...

If your preferred keyserver field points to the web server, that would  
tend to (eventually) remove the normal keyserver from the equation.   
That way, if they find your key via the keyserver, then they'll still  
(assuming they haven't changed the default configuration) end up at  
your web site at refresh time.

Personally, I don't worry too much about it.  Given the client-centric  
design of OpenPGP, there will always be ways to get the key from the  
wrong place.  When I update my key, I send it to the keyservers, and  
stick it on my web site.  Whichever the person hits is fine with me  
(or put another way, it's not as if I have a choice in the matter, so  
I may as well be fine with it).

What does worry me about the keyserver situation is that it is  
confusing for the newcomer to OpenPGP: there are several different  
round-robin keyserver setups (with different semantics between them!),  
there are some servers that still can't cope with subkeys, there is  
confusion on whether a syncing server is necessary or not, etc.  This  
is visible every time someone asks a keyserver question on this list:  
each response gives a different recommended server.

David




More information about the Gnupg-users mailing list