On 2025-11-16 02:57:02 +0000 (+0000), debianmailinglists.hz5zm@simplelogin.com wrote:
Do these other keyring servers leave the key intact? I stopped using the key servers for my small personal projects and just have my public key posted on my personal website because one of them ( keys.openpgp.org I think ) lists my public key, but it seems to have stripped all the identifying information from it so it can't be searched for by email address and even if you download the copy they have apps like Kleopatra fail to import it, and when comparing it to my copy of the public key I manually exported the contents are MUCH shorter on their copy.
[...]The main reason for this, as I understand it, is to avoid the vulnerabilities which led to the fall of the SKS keyserver network. In short, the traditional keyserver model of allowing anyone to upload third-party signatures for keys they didn't control led eventually to vandals and other malicious persons uploading unwanted signatures with objectionable content or in volumes which overflowed the ability of clients and servers to deal with them (denial of service on the network and also on specific keys making them irretrievable). They did this in the most severe way possible, essentially filtering out all third-party signatures and even self-signatures and UIDs if the uploader can't prove control of the E-mail addresses associated with them (which implicitly means discarding non-E-mail identities too such as photo images).
Discussions I followed some time ago indicated they were willing to accept updates that enabled a caff-style approval process for third-party signatures at least, but it sounded like the existing team didn't have the resources to develop such a feature and that it would require additional volunteers working on that.
-- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature