[Sks-devel] Verification of keys on upload and removal options

[Douglas]

Hi all,

Traditionally key servers have not had any options for deleting keys, so over the years there ends up being a number of invalid keys where the owner no longer has the corresponding private key or has closed the email account tied to the key.

The problem of not being able to delete keys also contributes to the issue of keyserver based harassment or "doxing," where personal information and emails are uploaded without permission. Since the keyserver does not verify ownership of an email before accepting the key, anyone can create and upload a key for any email and include personal information in the name field.

An example of 'Obama' : http://pgp.mit.edu/pks/lookup?search=obama&op=index

'Hillary Clinton' shows similar issues : http://pgp.mit.edu/pks/lookup?search=hillary+clinton&op=index

One can also create and upload keys which contain a victim's username, legal name, phone number, address, and other personal information and upload the key to the keyserver. It would essentially be a permanent record for someone's personal information.

It doesn't benefit anyone to retain keys uploaded with malicious intent, so I believe it's worth discussing a mechanism for key removal due to abuse of the system.

Thank you.