key question

David Shaw dshaw at jabberwocky.com
Fri Feb 26 21:08:15 CET 2010


On Feb 26, 2010, at 1:30 PM, Grant Olson wrote:

> On 2/26/2010 12:38 PM, MFPA wrote:
>> 
>> I am *not* advocating the implementation of any form of
>> Digital Restrictions Malware (DRM).
>> 
>> Uploading a somebody else's key without first checking it is OK by
>> them is a breach of their privacy and could well be illegal/unlawful
>> in jurisdictions with data protection legislation (for example, if a
>> company published a customer's key, showing their name and/or email
>> address, to a server).
>> 
> 
> As a practical matter, even if your contacts agree to respect your
> wishes, it's still pretty easy for them to accidentally send it to the
> keyservers.  Perhaps mis-typing a command when they try to upload their
> own key.  Perhaps clicking the wrong button.  Perhaps because they just
> don't really know how gpg works and start typing random commands.

An interesting tidbit here is that the OpenPGP spec actually handles this accidental submission case.  There is a keyserver no-modify flag that can be set on a key, which requests that the keyserver reject any key that isn't submitted by the key owner.  Alas, while GnuPG supports the flag, no keyserver does.  (And in fact, supporting it would require a pretty significant redesign of the keyserver network).

David




More information about the Gnupg-users mailing list