Re: [Sks-devel] disable key receiving

[Rafael]

This is to do some kind of enssurence in the key validation to a small group of users. For instance, anyone can generate a public key with my email address, and if someone gets my email password he can send it saying that is me. We want to ensure to this small group that those keys really belong to those people, so, to be sure of that, they have to receive the keys from our server. And to add to our server they have to submit it to our admin and he will do the add. (thats why we need to block the send). Of course they can send their public keys to public servers, but the ones and we "ensure" that are real are the ones in our server.  
I dont know if I was clear enough.

We actually did it. With the "string match" of iptables, we drop any request having the string "/pks/add". I think its not the best solution, but it worked for us.

Thanks for the reply.

2013/2/22 Phil Pennock <address@hidden>

On 2013-02-21 at 15:22 -0300, Rafael wrote:
> Is there a way I can disable the receiving of keys? The idea is people only
> can search for public keys and when they want to add one they send it to
> our admin and he puts it into the server.

What are you trying to achieve?

Based on your description, anyone who doesn't want to worry about the
bureaucracy simply uses "gpg --keyserver some.public.server --send-key
$keyid" and waits for you to retrieve the key from the public peering
mesh.

Either you have a trusted server of just local keys, or you have a
public server, but you can't have both in one process.

You might have a tool which you run from cron, which checks public
servers for new signatures on existing keys in the private server and
pulls those, so that new signatures can appear locally.  Does that solve
the underlying issue?

-Phil