On 6/5/2012 5:22 AM, gn...@lists.grepular.com wrote: > FWIW, until I read somebody complaining about people uploading key > signatures, instead of sending them to the key owner, it never > occurred to me that it could possibly be a problem for anyone.
I'll go one step further: my personal belief is that this pursuit is a fool's errand. What people are really asking for is a concept the military calls ORCON, for "ORiginator CONtrol" [1]. The idea is that with ORCON data the person or agency that originated the data gets absolute control over how the data is disseminated and how it may be released. To do ORCON within the context of public-key certificates, we would need: 1. Infrastructure. The keyserver-no-modify flag is a nice idea, but no keyserver currently honors it. 2. Training. ORCON is a hard thing to pull off, and requires that the originator and those who come into contact with the data know how to treat ORCON data. That's simply not going to happen. 3. Accountability. There needs to be some way or ways to detect ORCON violations and handle offenders appropriately (social condemnation). But there's no way to tell who uploads a certificate to a keyserver. If Bob signs Alice's key and Charlie, Bob's roommate, who has access to Bob's public keyring, later uploads Alice's certificate to the keyserver, it makes no sense to blame Bob (the signer) for what Charlie did (violate ORCON). But since there's no way to trace it back to Charlie... Once those three are addressed then I'll take the "I want ORCON" crowd seriously. Until then, my response to the ORCON crowd is "I want stronger beer and honest politicians." I think it's foolish to try to establish a social norm which offenders cannot be identified and the norm cannot be enforced. That doesn't mean I think Charly's wishes shouldn't be respected: he's made his wishes clear and I think decent people will respect them. But there's a difference between saying "I'll respect the desires of someone who makes their wishes on this subject clear" and "there is a social norm which must be upheld." [1] http://en.wikipedia.org/wiki/Classified_information_in_the_United_States#Handling_caveats _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users