protecting pub-keys from unwanted signatures

vedaal at vedaal at
Sun Aug 16 19:15:16 CEST 2015

On 8/16/2015 at 12:34 PM, "Stefan Claas" <admin at> wrote:
>Should now GnuPG been enhaned, or the Key Server's been updated,
>similar to the order to allow such things not in
>the future?


It would be very helpful if such a protection against unwanted key signatures could be instituted.
Here is a possible suggestion on how it might be done:

[1] Have GnuPG require a 'cross-certification' of signatures, similar to the cross-certification of subkeys.

[2] Have GnuPG give a message upon importing a public key, that
"Signatures from keyid's [...], [....], and [...] have not been cross-certified by their owner,
Clean these signatures, y / n ? "

(Alternatively, the default could be:
"These signatures will be removed. If you want to keep them, enter  'keep-sig' ",

and then each new sig would be displayed, and if the importer
wants the sig, the importer would need to enter 'keep-sig' for each sig individually.)

This would require the owners of the keys to do periodic checking of their keys and cross-certify the signatures they want.

It would also be a bit of work for the owners to cross-certify all the 'good'  signatures they were happy to get.

Just a suggestion.

The implementers can best decide how much extra work this would require, and if there is a simpler better way to accomplish the desired result.


More information about the Gnupg-users mailing list