[Keyserver] Hockeypuck 2.1.0 released

Stefan Claas spam.trap.mailing.lists at gmail.com
Fri Dec 11 18:56:24 CET 2020

On Fri, Dec 11, 2020 at 10:25 AM Werner Koch <wk at gnupg.org> wrote:
> On Thu, 10 Dec 2020 11:07, Casey Marshall said:
> >    - Authenticated key management. This adds a couple of extra endpoints
> >    which allow a key owner to replace and delete their key, authenticated by
> >    signing the armored key in the request. This allows a key owner to still
> >    update their own key once it has been inflated beyond the key
> Finally after more than 20 years waiting for someone to implement such a
> feature.  Yeah.  Where can I find the specs?
> Did you consider that an authenticated request to delete a key may not
> actually remove the key from the keyserver?  Instead the the primary key
> should be kept and the server prepared to receive and merge even
> unauthenticated revocation certificates.  This is important in case of a
> lost key (or passphrase forgotten) so that a pre-created revocation
> certificate can be uploaded.  Also avoids DoS after a key compromise.

Hi Werner and Casey,

I have a question for both of you.

When I reported a while ago on GitHub about a fake uat packet on Werner's
key you quickly fixed the issue and the added image of 'Donnie' no longer
showed up at the Ubuntu keyserver. Interestingly now GitHub shows zero
issues as of today, while yesterday still some issues where open and a lot
of them closed.

Now my second question how is/was this done with Werner's key?

SKS still shows Werner's key with signatures, while the Ubuntu keyserver
shows only a very small key now. Before that the Ubuntu key server showed
the sigs too and additionally the fake uat packet (Donnie image).

Does this mean that a GnuPG user can modify his key in such a way
and re-submit it, so that the result is now like Werner's key or can a
Hockerpuck operator do this (on behalf) of the key owner? The key
in question, on the Ubuntu keyserver has also no longer a UID, which
I thought only sequoia-pgp can handle and not GnuPG.




More information about the Gnupg-users mailing list