keyserver spam

Jerome Baum jerome at
Sat Dec 17 16:25:56 CET 2011

On 2011-12-17 16:17, David Shaw wrote:
> It's an interesting server, with different semantics than the
> traditional keyserver net that we were talking about earlier.  Most
> significantly, it emails the keyholder (at the address on the key)
> before accepting the key into the server.  It also signs keys that
> are submitted to it, which allows people to leverage this email
> checking in their own trust calculations, but can also "litter" keys
> with repeated signatures.  If I recall, it is (or perhaps was) the
> default keyserver for PGP installations.

I doubt the validity of those automated checks and checks on the email
anyway. What constitutes "owning" foo at To legitimately
verify this you would need to look at the domain history, conclude who
the legit owner of the domain is, contact that owner and then follow the
delegation chain to reach a real person.

Any technological solution to the problem is easy to compromise:
Accounts can be compromised, domains stolen, DNS isn't safe either and
the mail server could be penetrated. The only way to know if someone
legitimately uses a given email address is to verify the _human_
delegation chain. A computer cannot do that in the current setup.

PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
No situation is so dire that panic cannot make it worse.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 878 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20111217/172d7fce/attachment-0001.pgp>

More information about the Gnupg-users mailing list