Hi all,
Traditionally key servers have not had any options for deleting keys, so over
the years there ends up being a number of invalid keys where the owner no
longer has the corresponding private key or has closed the email account tied
to the key.
The problem of not being able to delete keys also contributes to the issue of
keyserver based harassment or "doxing," where personal information and emails
are uploaded without permission. Since the keyserver does not verify ownership
of an email before accepting the key, anyone can create and upload a key for
any email and include personal information in the name field.
An example of 'Obama' : http://pgp.mit.edu/pks/lookup?search=obama&op=index
'Hillary Clinton' shows similar issues :
http://pgp.mit.edu/pks/lookup?search=hillary+clinton&op=index
One can also create and upload keys which contain a victim's username, legal
name, phone number, address, and other personal information and upload the key
to the keyserver. It would essentially be a permanent record for someone's
personal information.
It doesn't benefit anyone to retain keys uploaded with malicious intent, so I
believe it's worth discussing a mechanism for key removal due to abuse of the
system.
Thank you.
_______________________________________________
Sks-devel mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/sks-devel
