no-ks-modify effect on signature uploads

Hauke Laging mailinglisten at hauke-laging.de
Wed Aug 11 17:52:50 CEST 2010


Am Mittwoch 11 August 2010 16:11:24 schrieb David Shaw:

> > Does gpg upload signatures for other people's key which have this flag?

> I actually considered this once, but in the end, it would be confusing to
>  have a key be uploadable with PGP but not GPG.

Maybe but the number of people using both (with the same keys!) is probably 
not so high. And it would be obvious to anyone that this behaviour is due to 
an improvement in gpg. Avoid big number improvement in order to avoid small 
number confusion? A weak argument, even more as gpg is not strictly compatible 
to (all versions of) PGP (simultaneously) anyway.

gpg should issue an error message to inform the user.


>  Also, it could be defeated
>  trivially by just exporting a key to a text file (always legal),

When doing this with such a key then a warning should be issued. This would 
have the additional positive effect of making users aware of the privacy 
problem over time.


>  and then
>  uploading it to the keyservers using the web.  It would have been an
>  illusion of actual functionality.

No, not an illusion of functionality, maybe an illusion of protection. The 
problem would not be solved but reduced. The illusion could be prevented by 
putting the relevant information into both the documentation and error/warning 
messages. Having such an illusion would be the fault of noone but the 
respective user himself. And there is no reason that there is noone out there 
who has this illusion even today. :-)


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20100811/5637d006/attachment.pgp>


More information about the Gnupg-users mailing list