On 26/01/2022 22:03, jonkomer via Gnupg-users wrote: > Is there anything that a public key owner can do, to actually > *ensure* that, if some careless or malicious correspondent > ignores the comment ("Please do not upload...") and attempts > to upload his or her (otherwise fully functional) public key > to the key-server(s), the key upload is rejected?
The short answer is "no", or at best "not yet". There is a "keyserver preferences/no-modify" flag defined in rfc4880: ``` 0x80 | No-modify | The key holder requests that this key only be modified or updated by the key holder or an administrator of the key server. ``` But this is technically fraught. Most keyservers just ignore this flag, while keys.openpgp.org effectively assumes that it is always set, but even then doesn't behave exactly as the spec implies. keys.openpgp.org will not publish the userID of a key until the key's purported owner performs an email-based verification, and won't serve third-party sigs at all. It will however serve the non-userID components (by fingerprint search) no matter who uploaded it. Synchronising keyservers don't perform the verification step, due to conceptual incompatibilities between the (universal) sync model and (subjective) verification, and so the full key material will be made available regardless of who uploads them. There was a proposal in the old rfc4880bis draft that the "no-modify" flag should specifically prevent distribution of non-attested third-party sigs, but this would still not affect distribution of the userIDs and self-sigs, and has not been replicated in the new crypto-refresh draft. It is also quite likely that once sig attestations become commonplace, keyservers will stop distributing non-attested third-party sigs regardless of whether a key owner sets this flag. Note also that a domain administrator can publish the key of any email address in the domain via WKD, and this is effectively equivalent to publishing it on a keyserver. A
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users