Could this be mitigated by validating email addresses as they come in? Like sending an encrypted mail to the said address with a return token, If the token is not provided the key is never put into the SKS rotation?
I think a solution like this would be much more effective, and if there was some desire to conform to GDPR at some point it would be pretty much required first step because I cannot see how we could possibly remove keys without a command signed by that key, and putting this in place would make that ‘no more difficult to remove than it was to add’.. Regards, -Ryan Hunt > On Jul 13, 2018, at 11:20 AM, Phil Pennock <sks-devel-p...@spodhuis.org> > wrote: > > Signed PGP part > Heads-up: > > https://medium.com/@mdrahony/are-pgp-key-servers-breaking-the-law-under-the-gdpr-a81ddd709d3e > https://github.com/yakamok/keyserver-fs > https://lobste.rs/s/sle0o4/are_pgp_key_servers_breaking_law_under > > This `keyserver-fs` is software to attack SKS, using it as a filesystem, in > what appears to be a deliberate attack on the viability of continuing to > run a keyserver. > > The author is upset that there's no deletion, so is pissing in the pool. > > -Phil > > _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel