On Tue, 2015-03-03 at 14:00 +0100, Hans of Guardian wrote: > The PGP keyservers need email validation no it's pretty useless from a security POV and they don't need it.
> not as a way to provide any kind of "trusted" status of that key, but > rather so enable people to delete keys that should no longer be there, > and to prevent keyserver spam and vandalism. Unfortunately it seems that you miss(understand) some of the basic paradigms of security here: Actually the opposite is the case - removing keys from the keyservers (even if they're allegedly spam) would be a big security compromise of the whole system, as potentially important information (revocation certs, valid keys, etc.) would be removed as well. And who should in the end decide which key respectively which identity is valid? For there may be many Richard Stallmans, and if even such famous person uses an address like stall...@gmail.com, he could later give it up and someone else takes it (or vice-versa). If such keys would then considered spam,... then good night. > Another common scenario is that people make mistakes when learning how > to use PGP. There is a common mistake of generating a key to play > with, publishing to the keyserver, then deleting. While that's unfortunate... it's part of the game and as long as you aren't a keyserver operator/developer this shouldn't make you any concerns - unless of course you use the keyservers to authenticate (i.e. only one Richard Stallman -> that must be him) ... but then you're doomed anyway and no one will, should or could help you. > That is terrible both security-wise because Actually the contrary as laid out above. For that reasons the keyserver used to generally refuse removal of keys for years, and exceptions where only made on selective servers and then only to obey some stupid laws which actually degrade security here. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
