Viewable With ANY Browser

Note: My Web pages are best viewed with style sheets enabled.

Unrated

PGP: Public Key Servers

Copyright © 2002-2012, 2014, 2016, 2022 by David E. Ross

This page assumes the reader understands how to generate a PGP key pair and what it means to sign someone else's key or to revoke your own key. The User's Guide that came with your version of PGP is generally a good source of information on these topics.

NOTE WELL:Many key servers have stopped synchronizing with each other because of hostile attacks. These attacks involve uploading fraudulent public keys and valid public keys with fraudulent signatures. There might even be cause to reject using key servers at all. For details, see SKS Keyserver Network Under Attack.

In checking my own public keys on various key servers, I now see unknown signatures. In many cases, the public key of the signer is NOT on the server.

The best protection against injury from a fraudulent public keys is to practice what is described in the Web of Trust. After all, few key servers authenticate the public keys uploaded to them. Instead, they accept all uploads. Thus, a user must separately authenticate any public key obtained from a key server.

Introduction

Searching for Keys

Uploading a Key

Public Key Servers (includes a list of servers)

Remove a Key From a Key Server?


A public key server maintains a collection of public PGP keys. Someone with a new public key can add that key to a server's collection. Anyone seeking someone else's public key can search the collection. Keys already in a server's collection can also be updated. Such updates can reflect the addition of key signatures by other PGP users or the addition of a new user ID (i.e., a new E-mail address for the key's owner). Also an update can reflect the owner having revoked the key. However, once a key has been added to a key server, consider it not removable.

There are several different Internet protocols (communication interfaces) used by key servers. Servers that use HTTP permit searches for individual keys or may be used to find a set of keys that share a common characteristic. Also, most servers allow searches by the PGP application itself.

You want the key of someone, and you know her E-mail address. Or you want to check the status of your own key. Or you already have someone else's key, but you want to see if anyone else new has signed that key. Or …

You search a selected HTTP key server for a key by specifying either a part of the user ID (e.g., rossde for my keys) or the complete key ID (e.g., 0xE3EFE1A7, where the 0x (zero-eks, not oh-eks) — mandatory for key ID specifications — at the beginning indicates the ID is a string of hexadecimal bytes). The server returns all keys that satisfy that request.

The easiest way to use these protocols is to setup server information in PGP's Options. All servers listed in the table in the middle of this page should be acceptable to PGP. Then, you use PGP's Servers menu to perform the search. Note that a domain server contains keys only for one E-mail domain (e.g., only for earthlink.net). (A domain key server is usually only semi-public. It is used by a company just for the keys of its own employees. The public might be allowed to download a key from a domain server, but often only a system administrator can upload keys to it.) A search through PGP's Search menu returns a list of keys in a display very similar to the standard PGPkeys window. You can examine signatures and properties in that list. Then, just mark one or more keys and then use a pull-down menu to import them into your keyring. Yes, searching for a PGP key actually means downloading that key.

Often, key servers that support the HTTP protocol also provide Web pages for use in searching for a key. Using the HTTP protocol, these allow you to input a single identification (part of the user ID or the entire key ID). Usually, they also allow you to specify short or verbose. The former returns a listing of the keys that satisfy the request, one line per key. The latter shows all the signatures on each key. Sometimes, a Web page uses the terms index and verbose. One server even has the descriptive terms Simple index and Key & who has signed it. Some Web sites do not give any option.

Note that, with a Web page, downloading requires one extra step after a successful search. Keys are listed with a link (often at the key ID). Select the link to download and see the key. Then copy the resulting Web page and paste it into the PGPkeys window to add it to your keyring. Extraneous information on the Web page may be included in the copy; PGP will automatically paste only the key itself.

Warning: As noted in the box at the top of this page, just because you obtained a public key from a server does not mean that the key is authentic, that the actual owner is really who he or she claims to be. If you have a message that is so sensitive that it must be encrypted, then you must also verify the authenticity of the key and its owner. Once you have done that, you then sign the key to mark it as verified. (You may then wish to distribute the signed key to let others know of your verification. This is the following subject.)

Uploading a Key

You have just generated a key pair and want to distribute your new public key. More important, you just revoked your key and want as many people as possible to know. Public key servers are generally used for very broad public distribution of new and modified keys.

If you add another user ID (e.g., a new E-mail address) to your key, which you previously uploaded to a key server, you must now upload the key again. If you sign a key because you indeed know the owner of that key, then that key might also be uploaded to a key server; however, in this case, courtesy requires that you ask the key owner first (especially if the key has never been uploaded before).

If you have setup the Servers portion of PGP's Options, you can upload directly from PGP. After connecting to the Internet, select one or more keys to upload. Then select Send To in the Servers menu. Remember, Domain refers to a server that only has keys for the E-mail domain that matches the server's domain; to upload to such a server, it must first be setup in your list of servers.

If you are using a Web page, select one or more keys and then copy them (from the Edit menu or from a pull-down menu). Paste the result in the input area on the Web page. Finally, select the appropriate button or link on the Web page to upload the pasted keys.

Public Key Servers

The following table contains these columns:

The initial information in this table was obtained from Brian M. Carlson's PGP and GnuPG Web site, which no longer exists. I solicit additional inputs and corrections via E-mail.

Note: Some (or all) of the servers listed below might not handle keys with subkeys or photos. Not using either, I have not tested for their use.

Those servers whose domain names are in bold are in the list of servers I entered into my PGP options. I tested the synchronization of these using new, updated, and revoked keys late in August 2010; they synchronized with other servers in less than 90 minutes. All the other servers in this list are also known to synchronize with others.

After a key server has been tested above and entered into the list below, subsequent testing only involves checking to make sure the server responds.

REMEMBER: The fact that you found someone's public key on one of the following servers does not mean the key authentically represents that person.

Server Web Lang HTTP Ports Tested
gozer.rediris.es Engl Span 11371 30 Jan 22
pgp.zdv.uni-mainz.de X Engl11371 30 Jan 22
keyserver.ubuntu.com X Engl11371 30 Jan 22
keyserver-01.2ndquadrant.com X Engl11371 30 Jan 22
keys.openpgp.org 1,2 X Engl 30 Jan 22
keyserver.dcc.sib.swiss X Engl 11371 30 Jan 22
pgp.surf.nl X Engl 11371 30 Jan 22
pgp.benny-baumann.de X Engl 11371 30 Jan 22
the.earth.li X Engl 11371 30 Jan 22
Notes:

1. Cannot upload legacy RSS public keys to this server.

2. A Web search on this server for a user requires a complete E-mail address of that user. Domain searches are not supported.

Remove a Key From a Key Server?

Several times a month, I see messages on the PGP newsgroups asking "How can I remove my key from a key server?" In general, you should assume that you cannot. While some public key servers do allow keys to be deleted, this is very problematical.

But what can you do if you lose your private key or forget your passphrase? This is not clean, but can provide a warning to those who synchronize with key servers.


Last updated 30 January 2022

Valid HTML 4.01