allow-non-selfsigned-uid issue with key from keys.openpgp.org that contains no identity information
david at gbenet.com
Thu Aug 1 22:13:31 CEST 2019
Playfair via Gnupg-users:
> On 8/1/19 7:37 AM, Werner Koch via Gnupg-users wrote:
>> On Mon, 29 Jul 2019 09:43, gnupg-users at gnupg.org said:
>>> it that way", i think. Perhaps Werner can provide more background on
>>> why GnuPG is generally resistant to holding OpenPGP certificates that
>>> have no User ID at all in its local keyring.
>> The user ID is important because the accompanying self-signature conveys
>> important information about the keyblock. For example expiration date
>> and preferences. It is true that this can also be conveyed with
>> direct-key-signatures (a self-signature directly on a key which was
>> mainly introduced for dedicated revocations). However, this is a not so
>> well tested feature of gpg and my educated guess is that many other
>> OpenPGP implementations do not handle direct-key signatures in a way
>> compatible to pgp or gpg - if at all. Thus by relying on them we would
>> sail into uncharted waters.
>>> Doing such a merge would be super helpful, particularly for receiving
>>> things like subkey updates and revocation information from
>> I agree that we can add a code path to import a primary key plus
>> revocation certificate but without user-ids. PGP however, does not
>> support this and is the reason why we extended the revocation
>> certifciate with a minmal primary key.
>> Update of subkeys is a different issue and I see no solid use case for
>> allowing that without user-id (cf. expiration date of the primary key).
> Couldn't this issue be dealt with by the key server instead of by
> OpenPGP implementations? GnuPG can create and import keys having
> non-email-address user IDs. A string of more than 4 characters is
> acceptable. Anything remotely resembling an email address, e.g.
> x at y.xyz, is okay.
> If keys.openpgp.org won't publish a user ID other than a verified email
> address, is its only recourse to remove the user ID? Could it instead
> substitute the hex key ID, fingerprint or a dummy string like "User ID
> not verified"? If it can't, is there any benefit in publishing a
> mutilated key people can't use? Just reject it.
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
Why upload a key to a keyserver with no email address? What's the point
of doing that? You cant send an encrypted email to it - unless your
given the email first -will it work to encrypt to a publlic key with no
I got 180 public keys - some are very weird (I should delete them) some
keys are for signing some sub keys are for encrypting and some sub keys
decryption - why not make a key that does it all with a oad of sub keys?
Keyservers should have strict rules on public keys - all to have a valid
email a validation email sent back - then confirmed and that public key
is then available. No identity available - simple - reject the key.
Users of gpg that want to create weird and wonderful keys need to keep
them on their own laptop or desktop - keyservers should be able to purge
off these keys then keyservers would be back to what was intended.
People Should Not Be Afraid Of Their Government - Their Government
Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
Becomes A DUTY! Join the Rebellion Today! The "Captain's B(L)og"
More information about the Gnupg-users