Key poisoning

Andrew Gallagher andrewg at
Thu Aug 15 08:07:34 CEST 2019

> On 14 Aug 2019, at 23:38, Daniel Clery <dan at> wrote:
> If the keyserver implemented a signer blacklist, (which would scrub the blacklisted signature from any current or incoming public keys), what consequences am I missing?

This is known as “enumerating badness” and it doesn’t scale. You would only be able to identify a bad actor after its actions are noticed - by a human being. Also, if thousands of separate keys have signed another key, making it unusable, how do we decide which of those thousands of keys are legit and which the bad actors? Generating lots of keys on modern hardware is not difficult. 


More information about the Gnupg-users mailing list