OpenPGP certificate flooding

Posted Jul 3, 2019 20:20 UTC (Wed) by vadim (subscriber, #35271)
In reply to: OpenPGP certificate flooding by ttelford
Parent article: OpenPGP certificate flooding

I think the idea is proving you own the private key to the key being signed. So for instance, only the owner of the Tor key would be able to send updated versions of it to keyservers.

OpenPGP certificate flooding

Posted Jul 4, 2019 0:18 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

Right, it would be pretty pointless for anyone else than the holder of the key being signed to be able to upload signatures.

For context; the proper way to get signatures on your OpenPGP key is that signers use caff or similar to send email containing signatures to the UIDs on your key to verify that the key holder also owns the email addresses. On receiving the emails the key holder imports the signatures and forwards their key to the keyserver network.

So my proposal fits into the proper workflow for obtaining and distributing signatures (that most communities use) and as a bonus eliminates both spam signatures and improperly distributed signatures that haven't verified UID control or haven't even verified fingerprints. Of course the signer and key holder could workaround this using other more manual transports, but hopefully those would be deprecated in all the tools surrounding signing.

OpenPGP certificate flooding

Posted Jul 8, 2019 16:26 UTC (Mon) by ttelford (guest, #44176) [Link]

Now it makes sense to me.

My naive thought is that it would be along the lines of:
1. Alice uploads her public key
2. Bob signs Alice's public key
3. For Bob's signature to be valid, Alice has to sign (or have already signed) Bob's key in her local keychain
4. Alice uploads the new (signed) public key, and Bob gets a copy of his public key signed by Alice.
5. Bob receives his public key (signed by Alice), and can (in turn) upload his public key (which is signed by Alice).

Though I'm sure there's a better idea than that...