Hello, i started using gpg (with enigmail) today and found out i have already a key for my e-mail address on the key servers which i had completely forgotten about. Of cause i do have the private key for this old key any more. Therefore i created a new key. Some sources on the web suggested leaving a message in the old key which states that the key is not used any more. to do this i binary edited a gpg files and uploaded the modified old key to the keyserver again. the result looked promising: http://pgpkeys.pca.dfn.de/pks/lookup?op=vindex&search=0x6260AB5E079E8AA6
Is this a security risk? I could do this for any key and leave wrong messages on the key server which point to some other key. After a discussion on #gnupg i was told that gpg will not import the added user id because the signature is wrong. while this is great for security the key server still shows the user id. is it a bug in the key server, that it does not check new data for validity? greetings, thomas
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
