Re: [Sks-devel] About deleting keys

[dirk astrath]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

> I don't understand your point here, can you please elaborate? For 
> clients accessing the pool the results are simply a DNS round
> robin and the client connects to a given SKS server. If there is 
> fragmentation in the network we'd have to split the servers
> (probably exclude servers with deleted keys).

Some days/weeks(?) ago i posted a share on Google+ according to this
issue:

Data Protection and PGP/GnuPG ?!?!?!

Inspired by the  +OHM Observe Hack Make-Talk about "Trolling the
PGP/GnuPG-Web of Trust" by +Micah Lee I installed an "own"
PGP/GnuPG-keyserver on two of my servers.

One of these servers is available using the worldwide server-pool, the
other server is an experimental one and not connected to the pool.

While experimenting and having severals talks to a german lawyer and
+Jochim Selzer (wo takes care about data protection issues) I detected
a major issue, which may have a bigger impact to german (and maybe
european) keyservers.

The issue is the storage of personal data in worldwide databases
without the possibility to get them deleted. German law enables
everybody to get their data removed from databases. No matter if the
data is in databases accessible via internet or in closed databases
accessible for employees of a company.

You may now note, that everybody should take care about uploading the
public key to a public keyserver. But there is absolutely no notice
telling the user, that the key is published and can never be deleted,
no matter if the key is uploaded by PGP/GnuPGP or via a website of a
keyserver.

Furthermore anybody can send a public key to the keyserver-pool. There
is no need to have the private key for the upload. As soon as I
publish my public key on my website or send it via email etc. it's out
of my focus. Together with my name, my email-adress and (depending of
the data) the company I work at.

Now expect the following case:

An underaged wants to exchange protected emails with friends. When
contacting a Certificate Authority, the permission of the parents is
needed for storing the data and signing a "contract". If the
permission is not granted, the company can be forced to revoke the
contract and delete all data.

For the PGP/GnuPG-keyservers nobody asks for the permission when
publishing the key data like name or email-adress. Therefore anybody
can send and publish the personal data on the keyservers.

Let's now come back to the talk at OHM I mentioned some at the
beginning of this share
(https://www.eff.org/event/ohm2013-trolling-web-trust) :

If there is no private key needed and no verification done everybody
can generate keys with every combination of name and email-adress,
generated at random dates and upload them to the keyservers. And if
everybody is able to generate and publish fake keys everybody can
build up fake web of trust.

You my now argue that it's possible to revoke a key.

This is absolutely correct, but a revocation will not be possible if
you don't have the private key. And revocation will not remove the key
from the keyserver-pool.

This means:

If a keyserver-maintainer isn't able to delete the key from the server
database, a shutdown of the server can be forced.

Thanks for reading ...

- -----> Read the follow-up mail for a possible solution i have in my
mind ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJwKmUACgkQVuf/iihAxwh/gwCfQ3Gzm4U5su3m9OCnObpWCHgm
2sUAoK1Y7bPPC0wvv6HQPjE6wz+cV4o1
=0Snp
-----END PGP SIGNATURE-----