On 05/09/2010 05:10 PM, Faramir wrote: > But comments field is for comments, not for identity information, so I > don't see any problem in adding a hint so people can know "which key > should I use?".
OK, but how many such comments should we use? (see below...) > Good question, but, since the old key (unless it has expiration date) > will still be shown as valid at the keyservers, probably it wil haunt > him forever. True. And anyone who wants to can also create and upload a key with his exact User ID and no expiration date, and that bogus key will also haunt him forever. Should he include a comment about not using that maliciously-uploaded key as well? What if 10 bogus keys are uploaded with his User ID? If Joe User's real key is actually 0xDECAFBAD and he still has control over it, what should other users do if they see a key uploaded with the User ID of: Joe User (Do Not Use 0xDECAFBAD) <[email protected]> (remember that anyone can upload such a key) ? Should people care about or rely upon those comments? Or are they noise? The point is that people who haven't exchanged keys directly need to rely on certifications, not on "oh, this key happens to have a relevant-looking user ID bound to it". Since they already need to rely on certifications, it's best to just treat the bad/old key as though it were one of the malicious keys that anyone could upload. The most useful response is to make sure that your proper key is well-certified, and that any bogus keys are not certified. Regards, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
