keyserver spam

[MFPA]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 17 December 2011 at 1:23:18 PM, in
<mid:4EEC97C6.5040303 at lists.grepular.com>, gnupg at lists.grepular.com
wrote:


> I find it strange that the keyservers don't do any sort
> of email validation before accepting key submissions

A key's UIDs don't *have to* contain email addresses. But in the case
where they do, a verification email would be a useful addition. But
whether useful enough to warrant the increased complexity and server
load, I have no idea.



> and that they just allow anyone to upload signatures
> for your key without verifying if you want to allow
> them first.

Since you don't log into a keyserver when you post, and keyservers
store data but do not perform cryptographic functions, this is pretty
much inevitable. The "keyserver-no-modify" flag could, in theory,
carry with it a requirement that modifications to a key were signed by
that key. But, once again, increased complexity and server load. And
what about propagating changes between keyservers?

- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

The greater the power, the more dangerous the abuse.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTuzAMKipC46tDG5pAQqDqQP+Lz02ndWZXA4L1lBl9zcL4uHAo7kzm+fc
a9NShBJar0Mre9xl1RExq4Af1gPxPwUehuFA0B3oP5F8UtBRhr/WJgKWqHRtvnGw
cen76xmgPovfGXSmPP3AuLFPjuRF6rh/gt8AYvnjfSWV4vUzIHNhEs/HOWMKv90W
jHcueN9wb00=
=/xko
-----END PGP SIGNATURE-----