PGP Keyserver Documentation


Description.

The PGP public key servers are only intended to help the user in exchanging public keys. In NO EVENT they guarantee that a given key is valid; to assess the trust of a key is necessary to use the signatures incorporated to the key itself.

The public key servers are accessible through e-mail and using a WWW interface. The RedIRIS server is available at:

There are PGP public key servers distributed accross the world. A list of some of them is available here.
Sending a public key to just one server is enough. After processing it, the server that has received the key will send it to the other servers during the synchronization process.

Submitting a key to the Keyserver

If you decide to submit a key to the RedIRIS Keyserver using the WWW interface, you just have to connect to the server pages and introduce your public key (in ASCII format) in the element designed for it.

If you decide to submit your key by e-mail, you have to send a message like the following one:

To: pgp-public-keys@rediris.es
From: chelo.malagon@rediris.es
Subject: add

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6


-----END PGP PUBLIC KEY BLOCK-----

Sending your key to just ONE server is enough. After processing it, the server will send it to the rest of servers automatically. If the submitted key already exists in the server, the key will be updated, adding the new signatures or identifiers associated to it.

Bear in mind that, once you submit your key, it will be distributed to the rest of servers in the world in a short time. Please, be SURE that the key is valid.

Since the ONLY way for removing a key from the Keyserver is by means of a Key Revocation Certificate, we recommend you to GENERATE A REVOCATION CERTIFICATE and store it in a safe place before submitting your key. The generation of this certificate requires you to access your private key: if you lose it or forget your passphrase you will still be able to use the revocation certificate and remove your (no longer valid) public key.

Searching the server for keys

Removing a key from the Keyserver

A Key Revocation Certificate is NECESSARY for removing a public PGP key from the server.

Three different cases may occur:

  • You have a revocation certificate available, as it is recommended in the section Submitting a key to the key server:
    Connect to the server and input the certificate using the form designed for it. Afterwards, click the 'Send' button.
    If you prefer to use e-mail, send a message containing the certificate to pgp-public-keys@rediris.esusing the command 'add' in its 'Subject:' field.
  • You have no revocation certificate available, but you have access to your private key:
    Generate a revocation certificate and follow the steps described in the above item.
  • You have no revocation certificate and have lost your private key, or forgotten the passphrase to access it:
    In this case is COMPLETELY IMPOSSIBLE to remove your key from the server, since you cannot offer trustworthy proofs of your identity and of your rights over the key.

Generating a revocation certificate

The generation of a key revocation certificate depends on the PGP version you are using:
  • PGP version 2.6.3:
    1. Deactivate your key using the option -kd:
      pgp -kd <your key>.
    2. Answer yes to the questions about revoking your key.
    3. Once revoked, dump your key into ASCII format:
      pgp -kxa <your key>.
  • PGP version 5.X:
    1. Deactivate your key using the option --revoke:
      pgpk --revoke <your key>.
    2. Answer yes to the questions about revoking your key.
    3. Once revoked, dump your key into ASCII format:
      pgpk -xa <your key>.
  • PGP version 6.X:
    1. Deactivate your key using the option -kd:
      pgp6 -kd <your key>.
    2. Answer yes to the questions about revoking your key.
    3. Once revoked, dump your key into ASCII format:
      pgp6 -kxa <your key>.
  • GNU PGP:
    1. Generate a revocation certificate using the option --gen-revoke:
      gpg --gen-revoke <your key>.
    2. Answer yes to the questions about revoking your key.

Remember that you must make a copy of the keyrings and restore them after the revocation. This way, your public key will not be destroyed. You must also bear in mind that this revocation certificate must be kept in a safe place, since anybody that has access to it may revoke your key forever.

Additional information

If you want further information:

  1. Marc Horowitz's pages.
  2. 1st Meeting of PGP Keyservers Administrators.