Key selection order

Lachlan Gunn lachlan at twopif.net
Thu Jan 14 17:03:54 CET 2016


Hello,

Through my searches online and looking at g10/getkey.c, it seems that when
multiple keys exist with the same name/email/etc., gpg will use the first
one that it finds in the database.  Is this correct?

If so, suppose an attacker inserted a fake key with my details into an HKP
keyserver.  What should I do?  Keys could be returned in any order, and HKP
gives no indication of when they were last updated, so the client can't
separate them that way.

Is there an obvious way to deal with this that I'm missing, or once a false
key is uploaded is it game-over, and I just have to hope that people will
be able to work out which is which through other means?

Apologies if this is covered in the documentation and I have failed to find
it in my reading.

Thanks,
Lachlan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160114/b69bbcba/attachment.html>


More information about the Gnupg-users mailing list