* William H. Geiger III wrote:
I can see where in a Public keyserver environment it is easier to allow
duplicate keyID's to prevent a DOS attack with a spoofed key. For a
corporate keyserver or a local keyring I am not sure if allowing these
keys into the database is a wise thing.
Local databases may apply a completely other policy on accpeting keys.
My current policy is to not add untrusted keys, not selfsigned user IDs, and
ask if duplicates arrive.
I may be wide off on this one but it just seems to be a bad design
approach to allow non-unique identifyers in the PGP packets and then try
every key that matches it.
Defining something unique without any guarantee to be is even worse.