FAQ, take two

gnupg at lists.grepular.com gnupg at lists.grepular.com
Tue Jun 5 11:22:17 CEST 2012

Hash: SHA1

On 05/06/12 02:36, Robert J. Hansen wrote:

>> I believe the etiquette is that the signed key block should be
>> returned to the certificate's owner, for her/him to do what
>> he/she deems convenient, e.g. upload it to a keyserver.
> I haven't found widespread belief this is a community norm.
> There's a vocal segment that believes one or more of this is a
> community norm, it must be a community norm, it is morally and/or
> ethically wrong if it is not a community norm -- but it's a
> segment, and doesn't seem to be shared by the whole of the
> community.
>> The signer himself/herself should not upload the sign key block
>> to a key server, or publish it in any other way, without the
>> certificate's owner explicit authorization or request.
> By what right can I -- or anyone on this list -- claim the
> authority to declare what members of the community should or
> shouldn't do?  I'm writing a FAQ, not establishing community norms.
> I don't mind writing the FAQ, but I do mind trying to impose norms.
> It's not something I'm comfortable with.  (Besides.  If I tried,
> people would laugh at me, and deservedly so.)
> It's reasonable to present the controversy, and I'll make mention
> of it in the next revision.  That's as far as I'll go.

FWIW, until I read somebody complaining about people uploading key
signatures, instead of sending them to the key owner, it never
occurred to me that it could possibly be a problem for anyone. My
immediate thought on reading it for the first time was that if it's a
bad thing, then the keyservers should prevent it. Even if it was
obviously a bad thing, people would still do it. So if it's completely
morally ambiguous, and possible, it's going to happen. No amount of
documentation or education will change that.

I mean, technically it should be easy for the keyservers to email the
owner of a key to ask if a signature should be accepted. Or to refuse
uploaded signatures unless they are themselves signed by the owner of
the key. If it really is a problem, then it can be fixed with code.

> Of course, ultimately Werner is the one who gets thumbs-up or 
> thumbs-down on this -- if it's to someday become the official FAQ,
> then he gets final signoff authority.  So if you disagree, feel
> free to pitch it to him, but you've heard my position on it.  :)

Doesn't matter what the FAQ says in this regard. It will continue to
happen unless the key servers actively prevent it.

- -- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4


More information about the Gnupg-users mailing list