-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/03/2015 04:20 PM, Kristian Fiskerstrand wrote: > On 03/03/2015 01:50 PM, Hans of Guardian wrote: > >> On Feb 27, 2015, at 1:11 PM, Kristian Fiskerstrand wrote: >
... > >>> The standard PGP keyserver pool is a mess with racist spam, >>> lost keys that will be there forever, etc. The concept of >>> email validation is very very common and proven in internet >>> service providers. > > And anyone is free to set up a CA that performs this validation > and signs the returned key. > >>> It is time for OpenPGP keyservers to join the rest of the >>> internet. > > > They are already quite up to date, SKS 1.1.5+ (development master) > even supports the experimental Ed25519 draft used by GnuPG. What > you are proposing here isn't about joining the rest of the > internet, it is about subverting the security by introducing a > false sense of security and even worse, that opens up well known > attack vectors. > > By the way, an OpenPGP key is fully valid without any email address > as part of any UID. For completeness, going to include some of the template for my response to delete key requests; But your situation is a good example of why one should never trust a key based on email address in UID alone, but need to verify fingerprint, creation type, key algorithm etc with the perceived owner and certify/sign the key. If you google you'll find some more detailed explanations as to why you can't delete a key from a keyserver. Long story short, even if it was technically possible the social protocol is missing. Speaking more generally, there might've been two (or more) people sharing the same name, and email addresses change over time, if the previous user deleted his email, it wouldn't make the key any less valid that someone else take over the email address. This is why one should never trust email address alone, but always verify keys through other means (mainly fpr, creation date, algo, size). That several keys exists for a single address is, from a cryptographical and security point of view irrelevant, as it is only applicable as a potential issue if people don't follow proper procedure for due dilligence. - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJU9dHLAAoJEP7VAChXwav6CmwH/AhHo8DYGxagxwESb6o1LlHm oDHv/W4tWF5tcp7gOW4bQfjHglgIIVJqAZoroyRIYfmK4amrX1kGqWDHG2aJ80Rr IoQwJjAyhQkUhea+lIZ+w3JaY80gtZ2ZaFZ1Dj88OAg5qX02Dy5ip2e0SunzA/91 jPjqFyUuuXDt5ThUblaTS4DgrlDEXWtYacaalE/nCZhdtlwVE4eBbma5Fp7LTLfU nBIzPtZNe64gXz9h9BWZmDgLLXWvrlj1CuUCe6KKkxZoDUUgsWZBszwW+tv9HlPq x3Gc8e2A5aIc4UooJlMnlvS/78AQ6nDieTBcgMiYKyxuyC7fP3bWEf9Xrhv6SKE= =Z4Ie -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users