Updating OpenPGP keyserver adding and removing identities

When adding new identities to my OpenPGP key, I can upload the public key to a keyserver for others to update their copy.

Now, when I remove an identity, will the keyserver update to the new version of my public key, or will it keep the older copy since the new version contains less identities?

If it does update the key, like I asked for, will someone else be able to overwrite my new copy of the public key with their old one, if they would upload it?

comfreak

Posted 2016-04-07T09:20:34.387

Reputation: 739

Answers

An OpenPGP key is not a single object, but consists of a whole stream of OpenPGP packets. For example, a public key message consists of (among others) the primary public key packet, subkey packets, user ID packets and different kinds of signatures, some providing certifications by other OpenPGP users, others binding user IDs and subkeys. Key servers will always merge those packets, never delete anything.

If it does update the key, like I asked for, will someone else be able to overwrite my new copy of the public key with their old one, if they would upload it?

If you add another user ID, another packet will be added (and merged when sent to the key servers). This also includes that other users uploading "old" versions of your key will not remove your newly added user IDs -- they upload an "incomplete" copy, which will get merged (and probably not change anything at all).

Now, when I remove an identity, will the keyserver update to the new version of my public key, or will it keep the older copy since the new version contains less identities?

On the other hand, this also means you cannot delete old user IDs, as this does not fit the "merge" mode of operation the key servers have. Instead, you revoke old user IDs (and all other kinds of OpenPGP entities), which results in a special revocation signature added as another OpenPGP packet, and merged into your public key.

Jens Erat

Posted 2016-04-07T09:20:34.387

Reputation: 14 141

You cannot "overwrite" or otherwise remove data from a PGP keyserver – you can only revoke it (using GnuPG's revuid), and then upload the "revocation signature" to the keyserver.

However, modern keyservers only accept identities signed by the main key – that's the "[self-signature]" entry that you can see in a signature list. While someone could easily craft a fake user ID packet, they cannot fake a self-signature.

user1686

Posted 2016-04-07T09:20:34.387

Reputation: 283 655

Thanks for your answer! So basically, if I want to remove a UID, I have to make a revocation for the UID and then the keyserver will remove it from my key if someone downloads it? – comfreak – 2016-04-07T10:46:08.203

1This does not really target what @comreak is asking. While the objections regarding revocation instead of deleting user IDs are valid and somewhat important in this case, you missed the point of how key servers merge different revisions of keys. Finally, you should never put trust in key servers. They mostly do verify self-signatures and usually there will be no faked user IDs, but most key servers are operated by complete strangers and data transmission is often completely unverified. – Jens Erat – 2016-04-08T15:42:09.957