Garbled data in keyservers

Stefan Claas stefan.claas at
Sun Dec 9 13:54:01 CET 2018

On Thu, 06 Dec 2018 15:22:14 +0100, Werner Koch wrote:

> > That's right, but my thought is / was someone can (ab)use key
> > servers as data storage / retrieval system and then only provides
> > the key id  
> As it has been commeted, there are easier ways to do that.

I have read also the threads at sks devel ML and my suggestions
would be that we need more international CA's to get rid of all
the problems, the key server network has.

People should think about the following:

Get a sig from a CA and then upload your key via email.
Then the key servers do something like a gpg --check-sigs
to see if a key bears a valid CA sig and if it is found in their
index the key will be added to the network, once the submitted
UID matches with the email address header. So no cryptographic
verification is imho needed. This would also eliminate, i think,
that someone else can upload someone else's pub key.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
URL: <>

More information about the Gnupg-users mailing list