default keyserver-options [was: Re: keys not available for signed messages in this maillist]
dshaw at jabberwocky.com
Mon Apr 11 19:50:49 CEST 2011
On Apr 11, 2011, at 11:23 AM, Daniel Kahn Gillmor wrote:
> On 04/09/2011 10:48 AM, David Shaw wrote:
>> I agree that include-subkeys should be on by default. That only makes sense, especially now that subkeys are frequently used for signing.
>> I'm not so sure about include-revoked, though.
>> remember that anyone can fake a revocation for any one else's key on a keyserver
> I think this last point is the main reason *for* setting include-revoked
> to "on" by default.
I think my objection here is to the expectation of getting any real information out of the keyservers in cases like this.
> Alice has key 0xDECAFBAD. she uploads it to the keyservers.
> Bob creates a key, puts Alice's name on it, and uploads it to the
> Bob uploads a faked (invalid) revocation certificate for 0xDECAFBAD.
> Charlie searches for a key with Alice's name on it, and finds exactly
> one: But it's Bob's key!
If Charlie had include-revoked set he'd see two keys: Alice's, with a REVOKED marked on it, and Bob's, without the REVOKED. I suspect he'd then pick Bob's. After all, it's not inherently suspicious for Alice to have a revoked key.
The only real answer is to have Charlie download all candidate keys (and there may be quite a few) and find a trust path to them locally. He can't really trust anything that is told to him by the server.
In any event, I think there is a bit of confusion here. Both include-subkeys and include-revoked *are* the defaults. In the case of include-revoked, the manual even tells people not to turn it off, and why:
When searching for a key with --search-keys, include keys
that are marked on the keyserver as revoked. Note that
not all keyservers differentiate between revoked and
unrevoked keys, and for such keyservers this option is
meaningless. Note also that most keyservers do not have
cryptographic verification of key revocations, and so
turning this option off may result in skipping keys that
are incorrectly marked as revoked.
More information about the Gnupg-users