lsign produces exportable signatures when used for self-sigs
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Sep 13 16:42:13 CEST 2013
On 09/13/2013 09:49 AM, Peter Lebbing wrote:
> On 2013-09-13 14:24, Nicholas Cole wrote:
>> The correct way would be to have keyservers
>> honour the no-modify flag, or perhaps have some notation on the ID
>> that prevents uploading to a public keyserver. I myself would favour
>> the latter approach.
>
> The latter has the same problem as the no-modify flag: it can be
> subverted by someone as long as the keyservers do not do crypto.
yes, pretty much anything can be published as long as the keyservers do
not do crypto. That's something that the keyservers need to fix, as it
would prevent other problems as well.
In the meantime, we can produce certifications that won't be
misinterpreted by the keyservers as they currently exist, and can be
validated by any future keyservers that do proper cryptographic checks.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130913/46dadc47/attachment.sig>
More information about the Gnupg-users
mailing list