? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?

antony at blazrsoft.com antony at blazrsoft.com
Tue Dec 27 22:46:00 CET 2016

On December 27, 2016 4:09:35 PM EST, Don Warner Saklad <dsaklad at gnu.org> wrote:
>What do you kind folks out there make of comments at
> >"I'm told that key servers carry many phony keys claiming to be
>   mine. Here is info about which keys are really mine."
> >"Of course, to be really sure which key is mine, you need to get my
>   key fingerprint from me or follow a chain of signatures. If a phony
>   key appears to be signed by someone you trust, you should see what's
>   up with that person."
>and 4th sentence from the top at
> >"If you want to send me GPG-encrypted mail, do not trust key servers!
>  Some of them have phony keys under my name and email address, made by
>   someone else as a trick. See gpg.html for my real key."
>Gnupg-users mailing list
>Gnupg-users at gnupg.org

Well, keys on keyservers never provide any assurance that they belong to the owner. There always needs to be some kind of verification done out of band to ensure that the key belongs to who you think it does. Whether that be fingerprint matching or actually physically meeting them and signing each other's keys after identity verification, etc.
Sent from my Android device with K-9 Mail. Please excuse my brevity.

More information about the Gnupg-users mailing list