[KLUG Members] gpg key signing party.
Bruce Smith
bruce at armintl.com
Mon Feb 20 10:07:15 EST 2006
> > 2) What if I upload my public key now, and change my mind later about
> > my email addresses (I run adduid/deluid later). I can I change my key
> > on the server? How? Can I upload it again and overwrite it?
>
> I'm not certain. Do keys contain revision references?
>
> > 3) If I can change my key on the server, what keeps other people from
> > changing my key?
>
> You are uploading your public key, it can't be generated without your
> private key. There is no reason to 'protect' the public key. If it is
> altered without the presence of the private key it will be invalid.
I understand that, but it seems like anyone could generate a
private/public key pair with someone else's email address and upload the
public part.
So why couldn't generate a key pair for my email and upload the public
part and overwrite my public key? (if overwriting is allowed)
> > All I see is the place to upload a key, but nothing on how to change or
> > delete a key, nor any security on the key uploaded. I don't get it! :-)
>
> I don't know how modification works with regard to the key server.
> Perhaps you just upload it again?
I'd really like to know that before I upload my key. If it can be
overwritten easily, I don't care as much about which uid's I have in my
key now (knowing I can change it later). Otherwise I want to get it
perfect before I upload it.
Anyone want to add/delete a uid from their key and try uploading again?
This all goes back to my original spam question. I have a couple email
addresses that I rarely use, which [so far] have been able to avoid
getting on any spammer's list. I don't want those uid's in my key if a
bot is going to harvest them off the key server. And I might want to
add them later ...
- BS
More information about the Members
mailing list