OpenPGP Certificates can not be deleted from keyservers

Due to my involvement in sks-keyservers.net I frequently get questions on whether I can remove OpenPGP certificates from the keyservers.

TL;DR; Removal of OpenPGP certificates from a keyserver is not possible.

To start off with, the OpenPGP keyserver network consists of more than 150 keyservers reconciliating their database between the peers. Even if I could delete it from some servers I operate it will be re-added on next re-synchronization with the other servers unless done in a coordinated fashion of all the keyservers in the network, i.e. virtually impossible.

The correct way to flag a key as not being used is revocation.
Revocation require access to the private key or a revocation
certificate generated while having access to the private key; gnupg 2.1 automatically generates revocation certificates when a key is generated for this purpose and places it in ${GNUPGHOME}/openpgp-revocs.d.

Data is by design never removed from keyservers, much like it stays around in a blockchain. One should never validate a public keyblock based solely on email address in UID on a keyserver; But before using a public keyblock it needs proper due diligence verifying inter alia fingerprint, creation type, key algorithm, with the perceived owner of the keyblock out of band before signing (cerifying) and using it as a trusted channel. That several certificates exists for a single email address is, from a cryptographic and security point of view irrelevant, as it is only applicable as a potential issue if people don't follow proper procedure for due diligence.

To make the story even longer;  even if it was technically possible the social protocol is missing. Speaking more generally, there might've been two (or more) people sharing the same name, and email addresses change over time, if the previous user deleted his email, it wouldn't make the certificate any less valid that someone else take over the email address, and if someone could remove the data it would require ways to verify the authentication of the request. Additionally it could make the keyserver operators viable to certain legal liability if incorrectly deleting a key allowing it to be replaced by a MITM cert.

2 thoughts on “OpenPGP Certificates can not be deleted from keyservers”

  1. I've heard some argue the correct way to mark a key as unused is expiration, with the reason being people might question your securety practices and mistrust your signatures with too many revoked keys. Seems like a pretty phillosophical difference to me, because you can always specify a reason when revoking.

  2. Users new to GnuPG or PGP which are in need to submit their public key to a Key Server, should avoid those old fashioned (in the post-Snowden-era) Key Servers and use a modern one like keybase.io, were those restrictions do not apply.

Comments are closed.