From: IN%"stewarts@ix.netcom.com" "Bill Stewart" 20-MAY-1996 03:34:34.06

While I agree that keyservers don't need to validate keys - that's a job for the web of trust, and the keyserver-admin could sign keys if he/she/it wanted to - it may make sense for the keyservers to only accept keys in messages signed by the key itself. (Just signing the key doesn't help much here; you need to sign the key-plus-signatures.) Does it make sense to include some similar capability in PGP itself?

I would suggest that the keyserver should simply keep track (via keeping the signatures) of which signatures were with the key holder's permission (signed by the key holder) and which aren't. This won't be necessary for mutually-signing keys, of course. -Allen