expires2011 at ymail.com
Sat Dec 17 17:15:37 CET 2011
-----BEGIN PGP SIGNED MESSAGE-----
On Saturday 17 December 2011 at 1:23:18 PM, in
<mid:4EEC97C6.5040303 at lists.grepular.com>, gnupg at lists.grepular.com
> I find it strange that the keyservers don't do any sort
> of email validation before accepting key submissions
A key's UIDs don't *have to* contain email addresses. But in the case
where they do, a verification email would be a useful addition. But
whether useful enough to warrant the increased complexity and server
load, I have no idea.
> and that they just allow anyone to upload signatures
> for your key without verifying if you want to allow
> them first.
Since you don't log into a keyserver when you post, and keyservers
store data but do not perform cryptographic functions, this is pretty
much inevitable. The "keyserver-no-modify" flag could, in theory,
carry with it a requirement that modifications to a key were signed by
that key. But, once again, increased complexity and server load. And
what about propagating changes between keyservers?
MFPA mailto:expires2011 at ymail.com
The greater the power, the more dangerous the abuse.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users