Thanks Andrew for pointing it out. We could grandfather such keys if their uid length fits within a limit (256 bytes?). But do not return such keys in search results, except when searched directly by fingerprint or longid.
Newly uploaded keys without valid uid email address would not be accepted.
Speaking of preventing abuse, only email addresses and key ids should get indexed for search, and only strict match should be allowed.
> On 14 Jul 2018, at 09:34, Human at FlowCrypt <address@hidden> wrote:
>
> > > Could this be mitigated by validating email addresses as they come in?
>
> > No, because ID fields are not required to be email addresses.
>
> Then let's drop keys that don't contain a valid email address in the key id.
You do realise that the largest use case for PGP keys is package distribution, and many well known package distributors deliberately use signing keys with no email address?
A