On Apr 13, 2009, at 5:23 AM, Sven Radde wrote:

Hi!

John Clizbe schrieb:
You can remove any cruft you wish and distribute that key yourself. You
just can't use the keyserver networks to do it. Also anyone who
refreshes that key from a keyserver will pick up all the pieces you
decided needed deleting.

If you distribute the key yourself, you can set a preferred keyserver
flag on your key. You can have that point to, e.g.,
http://yoursite.com/yourkey.asc and refreshes should be done from there (unless the other user changes "keyserver-options honor-keyserver- url").

With PKA, you can even get automatic key retrieval without a keyserver.

That's not quite right. PKA records in DNS can point to a keyserver, but you still need the keyserver in the mix somewhere (though, like the "preferred keyserver" feature, that "keyserver" might be a key stored on a web server).

You might be thinking of CERT. The CERT DNS record can store either a URL like PKA does, or can store the whole key so you don't need a keyserver. Of course, that can make for a pretty big DNS record...

CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS. PKA is a different sort of thing - it's a pretty neat way to leverage the ubiquity of DNS into a different trust model. It just happens that both CERT and PKA can do the "DNS lookup to find a key" trick.

David


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to