"No-Keyserver" (and other) flags on keys

David Shaw dshaw at jabberwocky.com
Mon Jun 28 01:34:51 CEST 2010


On Jun 27, 2010, at 4:27 PM, Dan Mahoney, System Admin wrote:

> On Sun, 27 Jun 2010, David Shaw wrote:
> 
>> On Jun 27, 2010, at 3:58 PM, Dan Mahoney, System Admin wrote:
>> 
>>> All,
>>> 
>>> How difficult would it be to propose some kind of extension flag to the PGP key format that in essence says "don't publish me to a keyserver". Note that I'm asking from a technical point of view, not a social (i.e. making servers support it) or IETF one (insert bikesheds here).
>>> 
>>> My question is: Is it possible to do in such a way that keys would be backward-compatible?
>> 
>> Not only is it possible, it already exists.  GnuPG can even set it and unset it, as you like.
> 
> Really?  Where is it?

It's a flag that can be set on a key user ID, similar to cipher or compression preferences.  Run "--edit-key" on a key, and enter "showpref" or "pref".  You will probably see a mention of "Keyserver no-modify" (or "no-ks-modify").  You can turn it on and off with setpref, like any other preference: "ks-modify" allows keyserver modifications, and "no-ks-modify" disallows them.

Note that the definition of no-modify is that only the keyholder (or the administrator of the keyserver) can override it.  So the flag only applies to other people - the keyholder can choose to upload his key if he so desires.

> Also, is it possible for either the manpage or the interactive help to include the meaning of the various preferences that are not cipher types?

Sure enough, it's not in the man page.  I'll fix that.

>> It's effectively a no-op though, as no server supports it.
> 
> I'm looking into making mods to at least one server type (we run one locally at work), and commit them upstream.  If I'm going to wade into that muck, I might as well have multiple things to try to make work.
> 
> The change in the key file format is the "hard" part :)

Having keyservers support no-modify requires that they first support crypto at all.  That's a really big step.

David




More information about the Gnupg-users mailing list