Re: [Sks-devel] Hi everybody!

[Daniel Kahn Gillmor]

On 11/30/2009 12:22 PM, MailFighter.net Admin wrote:
> My interest is in being able to get what keyids have signed a certain key, in 
> a machine parsable format.

Keyservers can't actually tell you that reliably.  As far as i know, SKS
does no cryptographic validation on the signatures it publishes.

one way to think about this is I might make a key ("X") that is not
uploaded to the keyservers.  but X might be used to certify another key
("Y"), and that certification might be published to the keyservers.
When SKS serves up Y, it should include X's certification, even if it
knows nothing about X.  It *cannot* validate the signature in that case.

Even if the keyserver *did* validation, a cryptographically-secure
application should verify the signatures itself anyway (why trust the
keyserver?).  In addition, most keyservers are accessed in the clear
(there's only one hkps keyserver in existence that i know of), which is
problematic too.

Regards,

        --dkg

PS i'm very interested in what you're working on, as i suspect i've been
thinking over similar things.  If you want to chat off-list about your
project (or direct me to somewhere i can discuss it with you), let me know.

signature.asc
Description: OpenPGP digital signature