On Sun, Aug 16, 2015 at 4:15 AM, MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi > > > On Sunday 16 August 2015 at 9:10:28 AM, in > <mid:20150816081028.ga26...@zwiebelfreund.de>, Stefan Claas wrote: > > > >> after seeing Facebook's public key a couple of days >> ago, i was wondering if it's possible to enhance GnuPG >> in a future version, so that it no longer allows >> someone to sign a public key without approval of the >> owner. > > If GnuPG were modified in this way the key could still be signed > using an old GnuPG version, or any other OpenPGP application. > > I guess a modification would be possible that allowed a GnuPG user to > sign acceptance or rejection over a third-party signature, but I'm not > convinced there would be any point. Firstly, would such acceptance or > rejection be dropped by the keyservers? <snip>
No, the keyserver pool does not reject any signatures, even if the signature itself is invalid. When you receive a public key from the keyserver pool it's the job of the client to clean/reject invalid or unknown signatures. I've argued a bit that keyservers should start to play a role in policing the pool, but it's a controversial topic. https://lists.gnu.org/archive/html/sks-devel/2015-05/msg00022.html Unfortunately, that leads to trolls tagging notable public keys (such as Facebook and Adrian Lamo) with unseemly material, but these will just be ignored by gpg when you fetch that public key. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users