? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?

NdK ndk.clanbo at gmail.com
Tue Dec 27 22:54:23 CET 2016

Il 27/12/2016 22:09, Don Warner Saklad ha scritto:
> What do you kind folks out there make of comments at
> https://stallman.org/gpg.html
>  >"I'm told that key servers carry many phony keys claiming to be
>    mine. Here is info about which keys are really mine."
>  >"Of course, to be really sure which key is mine, you need to get my
>    key fingerprint from me or follow a chain of signatures. If a phony
>    key appears to be signed by someone you trust, you should see what's
>    up with that person."
> and 4th sentence from the top at
> https://stallman.org
>  >"If you want to send me GPG-encrypted mail, do not trust key servers!
>    Some of them have phony keys under my name and email address, made by
>    someone else as a trick. See gpg.html for my real key."
Why do you find it strange?
Keyservers are just public write-only repositories that do not attempt
to verify the keys.
You have to verify the keys via the WoT (web of trust: "follow a chain
of signatures"), or by other means ("see gpg.html for my real key"), and
that's what Stallman says. Better do both: check that the chain
identifies the key given in gpg.html (must be retrieved via https).


More information about the Gnupg-users mailing list