keyserver spam

Jerome Baum jerome at
Sat Dec 17 15:07:11 CET 2011

On 2011-12-17 14:54, gnupg at wrote:
>> What about keys without an email in the UID?
> For the first issue regarding uploading keys, you wouldn't be able to do
> email validation on a key that doesn't have an email address in the UID.
> At the same time, for those keys, you wouldn't need to, as no email
> spoofing has taken place, so that's not an issue...

Spoofing is prevented through the WoT. It's not the responsibility of
the keyserver.

>> What prevents me from signing your key and distributing the signature in some other way?
> Nothing. The subject at hand is problems with the keyservers. Any other
> distribution mechanism is irrelevant.

I'll pose this differently: Why should the keyserver check with you that
you allow the signature to be uploaded? Why would you want to prevent me
from uploading the signature to an e.g. SKS keyserver, but not generally
from distributing it?

(After all, the keyserver is checking with you, you are controlling the
upload, so it must be in your interest. This isn't about the keyserver
being flooded, it's that you don't like me distributing this signature.)

Also note that SKS keyservers (and IIRC all common keyservers besides
the PGP ones?) don't do crypto operations on the OpenPGP packets. They
only handle the format, and only to merge the set of sub-packets. IIRC.

PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
No situation is so dire that panic cannot make it worse.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 878 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20111217/034a1380/attachment.pgp>

More information about the Gnupg-users mailing list