On Apr 13, 2009, at 5:23 AM, Sven Radde wrote:
Hi!
John Clizbe schrieb:
You can remove any cruft you wish and distribute that key yourself.
You
just can't use the keyserver networks to do it. Also anyone who
refreshes that key from a keyserver will pick up all the pieces you
decided needed deleting.
If you distribute the key yourself, you can set a preferred keyserver
flag on your key. You can have that point to, e.g.,
http://yoursite.com/yourkey.asc and refreshes should be done from
there
(unless the other user changes "keyserver-options honor-keyserver-
url").
With PKA, you can even get automatic key retrieval without a
keyserver.
That's not quite right. PKA records in DNS can point to a keyserver,
but you still need the keyserver in the mix somewhere (though, like
the "preferred keyserver" feature, that "keyserver" might be a key
stored on a web server).
You might be thinking of CERT. The CERT DNS record can store either a
URL like PKA does, or can store the whole key so you don't need a
keyserver. Of course, that can make for a pretty big DNS record...
CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS. PKA
is a different sort of thing - it's a pretty neat way to leverage the
ubiquity of DNS into a different trust model. It just happens that
both CERT and PKA can do the "DNS lookup to find a key" trick.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
