Delete key from keyserver

David Shaw dshaw at jabberwocky.com
Sun Oct 23 16:11:59 CEST 2005


On Sat, Oct 22, 2005 at 06:26:51PM +0200, B. Kuestner wrote:

> all: Joe Smith has no way of fixing the situation, even if he is  
> legitimate owner of the joesmith at hisdomain.com e-mail address.
> 
> It strikes me, that GNU-supporters would bash MS (or for that reason  
> any vendor of proprietary software) for dishing out once more a  
> thoughtless, immature and insecure software design.
> 
> I understand it must not be simple to revoke or disable keys. But it  
> shouldn't be impossible either, especially in the light of anybody's  
> capability to put public keys under my name on the server.
> 
> Am I missing something?
> 
> >It's an inherent scaling problem of the keyserver net.  I've
> >seen estimates that the majority of the keys on the keyserver net are
> >not used for one reason or another, but can't be deleted.  Even with
> >the garbage keys, the keyserver database isn't too large to be served
> >though.
> 
> Well, my issue is not so much with the keyservers. I guess with  
> faster and more hardware this scheme could be maintained for decades.
> 
> But if the keyservers are not directories to look up public keys,  
> then what are they? And if they are meant as directories, how good  
> are they if they are flooded with garbage keys.
> 
> >The PGP company is running a different sort of keyserver at
> >http://keyserver.pgp.com.  This type of keyserver allows you to remove
> >keys if you can prove (by answering an email challenge) that you have
> >access to the email address on the key.  This keyserver obviously does
> >not synchronize with the others, however.
> 
> Can gpg use this keyserver? It is listed in the settings of my MacPG.  

GPG can use this keyserver.  Just set:

  keyserver ldap://keyserver.pgp.com

in your gpg.conf file (or whatever GUI you happen to be using).

> Is using this server recommendable for everybody?

This is a harder question.  I would unhesitatingly recommend it for
beginning users.  It's also useful for any level user who wants to
simplify the whole key selection process - it guarantees there is only
one key per email address.  If you want to mail to a particular
address, there is no question which is the "right" key, as there is
only the one key there.

I believe it is also the default keyserver for PGP users.

Some people do not like this server as it does email address
verification (via sending a mail to the email address on the key, if
any), and then signs the key.  These signatures are reissued every 2
weeks or so if people keep requesting the key.  The list of signatures
can get long.  Both PGP and GPG have features to delete the expired
ones.

David



More information about the Gnupg-users mailing list