Mailing List Archive

Hi Yuri,

> Is something wrong with the key that resides on keys.openpgp.org? Are
> the keys that are one these 3 keyservers the same?

Unlike the other keyservers, keys.openpgp.org has a [privacy policy] that
doesn't permit distributing email addresses without consent. The key in question
has no verified user ids, and thus can't be imported, it can only be used to
retrieve updates when you already have the key (I should really add a FAQ entry
about this).

Worth mentioning that pool.sks-keyservers.net closed down a few weeks ago
precisely because most keyservers have no privacy policy at all (aka "anything
goes"), which caused too many conflicts with GDPR.

Cheers

- V

[privacy policy]: https://keys.openpgp.org/about/privacy

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

* 2021-08-03 11:34:13+0300, Yuri Kanivetsky via Gnupg-users wrote:

> $ gpg --keyserver keys.openpgp.org --recv-keys
> 409B6B1796C275462A1703113804BB82D39DC0E3
> gpg: key 3804BB82D39DC0E3: no user ID
> gpg: Total number processed: 1
>
> Is something wrong with the key that resides on keys.openpgp.org? Are
> the keys that are one these 3 keyservers the same?

Server keys.openpgp.org is different from SKS keyservers. Read more
about it here:

https://keys.openpgp.org/about

--
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450

Okay, then... All the keyservers have the key. But keys.openpgp.org
doesn't let it get imported because the owner didn't consent to making
his email address publicly known by verifying his email address.

Which means that the owner doesn't care much about this, otherwise he
would not publish the key to the other servers.

Also, how do I as an owner... apply for verification?

gpg --export your_address@example.net | curl -T - https://keys.openpgp.org

And then follow the instructions at the outputted URL?

Will it invalidate my key (previous version of the key)?

Regards,
Yuri

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> Okay, then... All the keyservers have the key. But keys.openpgp.org
> doesn't let it get imported because the owner didn't consent to making
> his email address publicly known by verifying his email address.
>
> Which means that the owner doesn't care much about this, otherwise he
> would not publish the key to the other servers.

Either that, or they don't know about it, or the key was published by someone
else since there are no checks on the other servers. There are currently ~250k
verified addresses, typically it depends on the user's client software (e.g.
GPGTools for macOS has great support for keys.o.o verification, GPG4win has
none).

> Also, how do I as an owner... apply for verification?
>
> gpg --export your_address@example.net | curl -T - https://keys.openpgp.org
>
> And then follow the instructions at the outputted URL?

Yep, that is one way.

> Will it invalidate my key (previous version of the key)?

Only one key can be verified for any email address at one time, so it's possible
to replace keys for an email address, or remove them. As long as it's the same
key, all updates to that key will be merged as usual.

Cheers

- V


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, 3 Aug 2021 11:19, Vincent Breitmoser said:

> Unlike the other keyservers, keys.openpgp.org has a [privacy policy] that
> doesn't permit distributing email addresses without consent. The key

It is not a privacy policy but a serious misconception much like what
keyserver.com and PGP Universal Server did a long time ago.

The OpenPGP spec requires a User ID for the on-wire format of a public
key. Any implementation which violates this rule is not OpenPGP
compliant.

The privacy argument on the a user id is layman's idea of the GDPR. In
fact the key itself is not different than an IP address or mail address
and in fact more stronger personal data or a natural person than the
latter.

Note that out of reasons of data minimization I would suggest to create
new keys only with a mail address and not with any other data. For
example posteo.de has such a rule for keys used on their platform;
gpg-wks-client even has direct support for such a requirement.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On 8/4/2021 10:35 AM, Werner Koch via Gnupg-users wrote:
> On Tue, 3 Aug 2021 11:19, Vincent Breitmoser said:
>
>> Unlike the other keyservers, keys.openpgp.org has a [privacy policy] that
>> doesn't permit distributing email addresses without consent. The key
>
> It is not a privacy policy but a serious misconception much like what
> keyserver.com and PGP Universal Server did a long time ago.
>
> The OpenPGP spec requires a User ID for the on-wire format of a public
> key. Any implementation which violates this rule is not OpenPGP
> compliant.
>
> The privacy argument on the a user id is layman's idea of the GDPR. In
> fact the key itself is not different than an IP address or mail address
> and in fact more stronger personal data or a natural person than the
> latter.
>
> Note that out of reasons of data minimization I would suggest to create
> new keys only with a mail address and not with any other data. For
> example posteo.de has such a rule for keys used on their platform;

If I understand correctly, the 'real name' and 'comment' should be left out.

1) https://posteo.de/en/help/policies-for-public-keys#names

--
John Doe

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users