-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/06/12 02:36, Robert J. Hansen wrote:
>> I believe the etiquette is that the signed key block should be >> returned to the certificate's owner, for her/him to do what >> he/she deems convenient, e.g. upload it to a keyserver. > > I haven't found widespread belief this is a community norm. > There's a vocal segment that believes one or more of this is a > community norm, it must be a community norm, it is morally and/or > ethically wrong if it is not a community norm -- but it's a > segment, and doesn't seem to be shared by the whole of the > community. > >> The signer himself/herself should not upload the sign key block >> to a key server, or publish it in any other way, without the >> certificate's owner explicit authorization or request. > > By what right can I -- or anyone on this list -- claim the > authority to declare what members of the community should or > shouldn't do? I'm writing a FAQ, not establishing community norms. > I don't mind writing the FAQ, but I do mind trying to impose norms. > It's not something I'm comfortable with. (Besides. If I tried, > people would laugh at me, and deservedly so.) > > It's reasonable to present the controversy, and I'll make mention > of it in the next revision. That's as far as I'll go. FWIW, until I read somebody complaining about people uploading key signatures, instead of sending them to the key owner, it never occurred to me that it could possibly be a problem for anyone. My immediate thought on reading it for the first time was that if it's a bad thing, then the keyservers should prevent it. Even if it was obviously a bad thing, people would still do it. So if it's completely morally ambiguous, and possible, it's going to happen. No amount of documentation or education will change that. I mean, technically it should be easy for the keyservers to email the owner of a key to ask if a signature should be accepted. Or to refuse uploaded signatures unless they are themselves signed by the owner of the key. If it really is a problem, then it can be fixed with code. > Of course, ultimately Werner is the one who gets thumbs-up or > thumbs-down on this -- if it's to someday become the official FAQ, > then he gets final signoff authority. So if you disagree, feel > free to pitch it to him, but you've heard my position on it. :) Doesn't matter what the FAQ says in this regard. It will continue to happen unless the key servers actively prevent it. - -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -----BEGIN PGP SIGNATURE----- iQGGBAEBAgBwBQJPzc/JMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBJaOCACjRmIiftT3 1TrQgtsh22xVOCzFJ9rasilQSrIvtZo3yO/S/ov9z37IEn3xeHC3R9xc3jHC2BJ1 9tCrK6OS8SBgWS4o6zzEB9isfULG7466ljeZgc9Oe8kBZONJkHVQ5Tp8x7cCOaHV xhFtO7LX9na4YzL+1ZtwjWTeMR0+H93MKU0KhexhwS0VcU8S5hWu63/xIYB+YrAO mHR/klnTvWym+KEsjUyfBLquLQ+xYZA4iKTBsKBMYHLpp2eDGIru8xDB6a3gzUYB OiiZYXS1sZRZZqd5JbB/SHEM6NMn7U3IpIkLeAAivGoWbPq2ZmAsf/U+jVD9Fv5I HZ2VhX4eEydA =PHqH -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users