On 27.02.15 13:11, Kristian Fiskerstrand wrote: > On 02/27/2015 12:43 PM, Hauke Laging wrote: >> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker: > >>> Maybe implementation with an opt-in could preserve publishing >>> of faked keys on public keyservers? > >> We need keyservers which are a lot better that today's. IMHO >> that also means that a keyserver should tell a client for each >> offered certificate whether it (or a trusted keyserver) has made >> such an email verification. > > The keyservers have no role in this, they are pure data store and > can never act as a CA. That would bring up a can of worm of issues, > both politically and legally, I wouldn't want to see the first case > where a keyserver operator was sued for permitting a "fake key" > (the term itself is very misleading, the key itself isn't fake at > all, but a fully valid key where the UID has not been mated to its > holder through proper validation).
But that's the main primary reason of the article at all. The fact that anyone can upload _every_ key to a keyserver is an issue. If keyservers would do some sort of verification (e.g. confirmation of the email addresses) then this would lead to much more reliable data. Furthermore, we need a feature to allow keys to be removed in case the true owner of an email address requests it. I know that this collides with today's keyservers and it also collides with keyservers exchanging keys between each other, but I strongly believe that this would make keyservers more trustworthy than today. -Patrick _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users