keyserver spam

gnupg at lists.grepular.com gnupg at lists.grepular.com
Sat Dec 17 14:54:00 CET 2011


On 17/12/11 13:33, Jerome Baum wrote:

>> I find it strange that the keyservers don't do any sort of email
>> validation before accepting key submissions and that they just allow
>> anyone to upload signatures for your key without verifying if you want
>> to allow them first.
> 
> What about keys without an email in the UID?

For the first issue regarding uploading keys, you wouldn't be able to do
email validation on a key that doesn't have an email address in the UID.
At the same time, for those keys, you wouldn't need to, as no email
spoofing has taken place, so that's not an issue...

For the second issue regarding uploading signatures. Email in the UID
isn't required. You just need to differentiate between signatures that
the owner of the key has allowed, and signatures that they haven't. The
owner of the key can prove that they are the owner of the key and accept
the signature using normal public key crypto. An email in the UID of the
key owner would be useful so you can contact them to let them know that
somebody has uploaded a signature. Not required though.

> What prevents me from signing your key and distributing the signature in some other way?

Nothing. The subject at hand is problems with the keyservers. Any other
distribution mechanism is irrelevant.

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20111217/057697ad/attachment.pgp>


More information about the Gnupg-users mailing list