[KLUG Members] gpg key signing party.

[Bruce Smith]

> > 2)  What if I upload my public key now, and change my mind later about
> > my email addresses (I run adduid/deluid later).  I can I change my key
> > on the server?  How?  Can I upload it again and overwrite it?
> 
> I'm not certain.  Do keys contain revision references?
> 
> > 3)  If I can change my key on the server, what keeps other people from
> > changing my key?
> 
> You are uploading your public key,  it can't be generated without your
> private key.  There is no reason to 'protect' the public key.  If it is
> altered without the presence of the private key it will be invalid.

I understand that, but it seems like anyone could generate a
private/public key pair with someone else's email address and upload the
public part.

So why couldn't generate a key pair for my email and upload the public
part and overwrite my public key?  (if overwriting is allowed)

> > All I see is the place to upload a key, but nothing on how to change or
> > delete a key, nor any security on the key uploaded. I don't get it!  :-)
> 
> I don't know how modification works with regard to the key server.
> Perhaps you just upload it again?

I'd really like to know that before I upload my key.  If it can be
overwritten easily, I don't care as much about which uid's I have in my
key now (knowing I can change it later).  Otherwise I want to get it
perfect before I upload it.

Anyone want to add/delete a uid from their key and try uploading again?

This all goes back to my original spam question.  I have a couple email
addresses that I rarely use, which [so far] have been able to avoid
getting on any spammer's list.  I don't want those uid's in my key if a
bot is going to harvest them off the key server.  And I might want to
add them later ...

 - BS