protecting pub-keys from unwanted signatures
Daniel Roesler
diafygi at gmail.com
Sun Aug 16 16:12:56 CEST 2015
On Sun, Aug 16, 2015 at 4:15 AM, MFPA
<2014-667rhzu3dc-lists-groups at riseup.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi
>
>
> On Sunday 16 August 2015 at 9:10:28 AM, in
> <mid:20150816081028.GA26761 at zwiebelfreund.de>, Stefan Claas wrote:
>
>
>
>> after seeing Facebook's public key a couple of days
>> ago, i was wondering if it's possible to enhance GnuPG
>> in a future version, so that it no longer allows
>> someone to sign a public key without approval of the
>> owner.
>
> If GnuPG were modified in this way the key could still be signed
> using an old GnuPG version, or any other OpenPGP application.
>
> I guess a modification would be possible that allowed a GnuPG user to
> sign acceptance or rejection over a third-party signature, but I'm not
> convinced there would be any point. Firstly, would such acceptance or
> rejection be dropped by the keyservers? <snip>
No, the keyserver pool does not reject any signatures, even if the
signature itself is invalid. When you receive a public key from the
keyserver pool it's the job of the client to clean/reject invalid or
unknown signatures. I've argued a bit that keyservers should start to
play a role in policing the pool, but it's a controversial topic.
https://lists.gnu.org/archive/html/sks-devel/2015-05/msg00022.html
Unfortunately, that leads to trolls tagging notable public keys (such
as Facebook and Adrian Lamo) with unseemly material, but these will
just be ignored by gpg when you fetch that public key.
More information about the Gnupg-users
mailing list