Remove public key from keyserver

Robert J. Hansen rjh at sixdemonbag.org
Mon Jan 15 20:39:56 CET 2018


> I was just thinking, would it be possible to have a tag (a UID with
> special meaning, like “please-remove-me at srs-keyservers.net”?) for which
> the signature would be verified by the keyserver, and that would cause
> it to drop everything from its storage apart from this tag?

Nope.  SKS has no cryptographic code in it.  It does no evaluation of
certificates or signatures.

Adding this feature would require a vast amount of effort to add RFC4880
signature verification into the core of SKS.  And it would also destroy
one of the design goals of SKS, which is "the keyserver never discards
data".

To implement this would require a completely new keyserver
implementation, one with considerably more code, which would *by design*
drop certificates.  I'd say it would take about five years for such a
re-work to come to maturity and be trusted.  So yes, it can be done, but
it's not something to be done lightly, nor without a ton of buy-in from
the existing keyserver community.

> That said I guess ideas like this have already likely been discussed before?

Many times.  There appears to be no easy fix.




More information about the Gnupg-users mailing list