[Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
Today, when asking the GPG keyservers to send me my own keys, I was
surprised to received them with up to 30 (THIRTY) new signatures.
(indeed, I was not surprised to get some...but I was surprised to get
so many)
As far as I understand, that means that many people seem to upload
keys that they've signed directly to the keyserver.
As far as I've followed the various discussion about keysigning, this
is a very discouraged method as it doesn't check that the IDs and mail
addresses you sign are controlled by the person whose key you want to
sign.
This is indeed why caff does not do this but rather sends the signed
key back to the signed UID, in an encrypted mail.
I'm very far from being in position to give lessons about keysigning
(those of you who received signatures of mine several times during
last days will know why...read my blog for details), but I deeply
suggest *not* uploading signed keys back to keyservers.
Of course, I'd like to thank the people who did so anyway for signing
my keys but, please, next time....use caff to sign keys. It's nearly
as simple as "apt-get install signing-party".
This year, we improved the keysigning process in a nice way, but I
suggest that next years, the keysigning initial meeting includes a
demo about how to sign keys properly. I think that at least the
*technical* way to do things (use caff) is widely accepted enough for
a demo to be worth it.
Reply to: