[Keyserver] Hockeypuck 2.1.0 released

Werner Koch wk at gnupg.org
Fri Dec 11 11:23:19 CET 2020

On Thu, 10 Dec 2020 11:07, Casey Marshall said:

>    - Authenticated key management. This adds a couple of extra endpoints
>    which allow a key owner to replace and delete their key, authenticated by
>    signing the armored key in the request. This allows a key owner to still
>    update their own key once it has been inflated beyond the key

Finally after more than 20 years waiting for someone to implement such a
feature.  Yeah.  Where can I find the specs?

Did you consider that an authenticated request to delete a key may not
actually remove the key from the keyserver?  Instead the the primary key
should be kept and the server prepared to receive and merge even
unauthenticated revocation certificates.  This is important in case of a
lost key (or passphrase forgotten) so that a pre-created revocation
certificate can be uploaded.  Also avoids DoS after a key compromise.

> Blacklists and auth key management may also be of interest to keyserver

Still revocation certificates should get through.  At least the first
valid revocation certificate needs to be handles before the key can be
set into an eternal non-modifiable state.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201211/657a6f1b/attachment.sig>

More information about the Gnupg-users mailing list