allow-non-selfsigned-uid issue with key from keys.openpgp.org that contains no identity information

Werner Koch wk at gnupg.org
Thu Aug 1 13:37:26 CEST 2019


On Mon, 29 Jul 2019 09:43, gnupg-users at gnupg.org said:
> it that way", i think.  Perhaps Werner can provide more background on
> why GnuPG is generally resistant to holding OpenPGP certificates that
> have no User ID at all in its local keyring.

The user ID is important because the accompanying self-signature conveys
important information about the keyblock.  For example expiration date
and preferences.  It is true that this can also be conveyed with
direct-key-signatures (a self-signature directly on a key which was
mainly introduced for dedicated revocations).  However, this is a not so
well tested feature of gpg and my educated guess is that many other
OpenPGP implementations do not handle direct-key signatures in a way
compatible to pgp or gpg - if at all.  Thus by relying on them we would
sail into uncharted waters.

> Doing such a merge would be super helpful, particularly for receiving
> things like subkey updates and revocation information from

I agree that we can add a code path to import a primary key plus
revocation certificate but without user-ids.  PGP however, does not
support this and is the reason why we extended the revocation
certifciate with a minmal primary key.

Update of subkeys is a different issue and I see no solid use case for
allowing that without user-id (cf. expiration date of the primary key).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190801/fc3f72aa/attachment.sig>


More information about the Gnupg-users mailing list