On 17/12/11 13:33, Jerome Baum wrote: >> I find it strange that the keyservers don't do any sort of email >> validation before accepting key submissions and that they just allow >> anyone to upload signatures for your key without verifying if you want >> to allow them first. > > What about keys without an email in the UID?
For the first issue regarding uploading keys, you wouldn't be able to do email validation on a key that doesn't have an email address in the UID. At the same time, for those keys, you wouldn't need to, as no email spoofing has taken place, so that's not an issue... For the second issue regarding uploading signatures. Email in the UID isn't required. You just need to differentiate between signatures that the owner of the key has allowed, and signatures that they haven't. The owner of the key can prove that they are the owner of the key and accept the signature using normal public key crypto. An email in the UID of the key owner would be useful so you can contact them to let them know that somebody has uploaded a signature. Not required though. > What prevents me from signing your key and distributing the signature in some > other way? Nothing. The subject at hand is problems with the keyservers. Any other distribution mechanism is irrelevant. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users