On Sat, Aug 02, 2003 at 12:31:45PM +0300, Shachar Shemesh wrote: > In the future, please don't upload other people's keys to keyservers. > Whether someone's key is published or not should be up to that someone > to decide. It is considered impolite to upload someone elses' key.
If the key is not on the key server, there's no much point to the whole business of expanding the web of trust, since the effort of finding your public key becomes too great, especially in this age of spam munged email addresses. What I will do in the future, however, is mention in key signing party announcements that anyone who does NOT want his key to be published should tell me so, and I will comply with their wishes. This is in accordance with the gpg key signing howto, which states: "I don't recommend that you keep your public key secret as it will discourage others from using PGP in their communications with you. To address the issue of the possibility of a compromised or broken keyserver returning an invalid key you can take steps to protect yourself from having messages sent to you encrypted with invalid keys, such as publishing your key's fingerprint in your .signature file or on your web page. To address the concern about the attacking of your key pair though your publicly available public key, I would say that if you are very concerned about the strength of your keypair or truly paranoid about the secrecy of your communications, you could generate additional keypairs (which expire in a matter of hours or days) for each communication and exchange the public keys of those keypairs though encrypted communications with the individual you'll be communicating with. If you don't wish to have your key on a public keyserver, you should skip this step and instead email your public key to the keysigning party coordinator with a message stating that you don't want your key on a public keyserver. The coordinator can then extract your public key information and forward your key on to the other participants via encrypted e-mail, or some other method, along with a note stating that the key should be returned to its owner after signature rather than uploaded to a keyserver. " -- Muli Ben-Yehuda http://www.mulix.org http://www.livejournal.com/~mulix/
pgp00000.pgp
Description: PGP signature
