yarmo Yes, we can bend signatures to our will by not signing keys but rather text documents. Currently, Keyoxide supports so-called signature profiles
Ah, I'm sorry, looks like a terminology confusion. When you talked about switching from "notations" (which are inherently part of PGP keys) to "signatures", I assumed you meant signatures on PGP keys too. Now I see you meant the newly-introduced "signature profiles" which are signed text documents containing plaintext claims.
So, my previous comments are largely irrelevant, but I have a new set of thoughts 😀
I think "signature profiles" is quite a confusing name, but I haven't thought of anything better 😄
Are you envisaging "signature profiles" eventually fully replacing claims embedded in PGP keys?
Personally I think both methods have their pros and cons, but I do really like being able to embed claims in my PGP key directly.
A disadvantage of "signature profiles" (or advantage, depending on perspective / use case) is lack of discoverability. A PGP key (with claims embedded via notations) can be found by established means such as HKP and WKD. Not so for a "signature profile", which must be distributed manually.
It would be great to have an easy way to get a "signature profile" into Keyoxide (web and CLI) for verification, rather than having to copy and paste it. Maybe by providing a link to a text document hosted online? Maybe it would be possible to embed a (single?) claim and a signature in a link to keyoxide-web?
On the (off-topic as it turns out) subject of the old keyservers hosting third-party key signatures:
yarmo I did not know the old keyservers hosted arbitrary signatures, interesting
I'm pretty sure they did, but it turns out (I hadn't realised) that the old SKS pool has actually been taken offline due to GDPR compliance issues. That said, some of the individual keyservers are still online, such as http://keyserver.ubuntu.com/.
yarmo The simple fact of hosting user-uploaded signatures does not violate the GDPR, right? Provided users can remove the signatures at will.
Well, firstly, I'm pretty sure it does, if the user didn't explicitly opt into that information being published in the first place. In fact, publishing the key at all is a violation if not authorised (for example, if someone else uploads my key), which is (partly) why keys.openpgp.org doesn't publish PII (name and email) on the keys unless verified. If someone uploads a new copy of my key that they have signed, and the keyserver publishes that, they're publishing information that identifies me as having a relationship with that person, without my authorisation.
Secondly, I don't think most of the old keyservers do provide a way to remove your key. I don't see that option on http://keyserver.ubuntu.com/ for example.