Preventing public key upload to key-servers

Andrew Gallagher andrewg at
Mon Jan 31 18:11:52 CET 2022

On 29/01/2022 01:55, Johan Wevers via Gnupg-users wrote:
> There are known technical issues: the HKP keyserver does not allow keys
> to be removed, GDPR or not. When the keyserer operator operates outside
> of the EU I don't think that is a legal problem.

This is incorrect. All three of the commonly-used HKP servers can remove
keys; this has been done for years to remove poison (i.e. oversized)
keys that cause DoS. However doing so comes with costs.

SKS does not properly support removing keys, however it is often patched
to include a list of known poison keys that should be ignored. This
obviously does not scale. Other keyservers (Hockeypuck and Hagrid) have
proper support for removing keys.

The longer-term cost is that keyserver sync (in SKS and Hockeypuck)
degrades as the list of blocked keys grows. Hockeypuck caches sync
failures and so (in theory) degrades more gracefully than SKS, which
does not.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list