allow-non-selfsigned-uid issue with key from keys.openpgp.org that contains no identity information

Teemu Likonen tlikonen at iki.fi
Thu Aug 1 19:18:23 CEST 2019


Daniel Kahn Gillmor via Gnupg-users [2019-08-01T09:27:45-04] wrote:

> Here's one use case (i've got others if you want):
>
>  * You have my OpenPGP certificate (with userid with e-mail address),
>    but it is not published in full publicly because i do not want people
>    to be able to find anything related to my e-mail address online.
>
>  * It has an encryption-capable subkey "X" that expires in 1 year, which
>    i use to be able to have deletable messages.  I will destroy the
>    secret component when X expires.
>
>  * As the year draws to a close, i create a new subkey "Y" and i attach
>    it to my OpenPGP certificate, and i push the updated certificate to
>    an abuse-resistant keystore (like keys.openpgp.org), again declining
>    to allow it to publish my e-mail address.
>
>  * After the expiration of "X", you want to send me an encrypted mail
>    (as is your habit when mailing me).  You follow best practices and
>    refresh your keyring (fetching certificate updates by primary key
>    fingerprint) from a public, abuse-resistant keystore.  Does your
>    OpenPGP implementation learn about "Y" when it pulls in the update?
>    It should.

To me this sounds very relevant use case and adds one more feature to
the general OpenPGP system. I hope future implementations support
exporting and importing (merging) also partial key block data.

-- 
///  OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
//  https://keys.openpgp.org/search?q=tlikonen@iki.fi
/  https://keybase.io/tlikonen  https://github.com/tlikonen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 694 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190801/3eea0edf/attachment.sig>


More information about the Gnupg-users mailing list