HKP machine-readable search output lists unverified User IDs

[dkg]

my OpenPGP certificate 0xC4BC2DDB38CCE96485EBE9C2F20691179038E5C6 has two User IDs, one of them using debian.org and one using fifthhorseman.net

I've uploaded it to keys.mailvelope.com but only clicked on the link in the verification message sent to the debian.org address.

When i search the keyserver via HKPS based on the fifthhorseman.net address, i get no responses. so far, so good.

But, when i look up via the debian.org address (i.e. https://keys.mailvelope.com/pks/lookup?op=index&options=mr&search=dkg@debian.org ) the listing includes the unverified e-mail address as well:

info:1:1
pub:C4BC2DDB38CCE96485EBE9C2F20691179038E5C6::null:1547878146::
uid:Daniel%20Kahn%20Gillmor%20%3Cdkg%40fifthhorseman.net%3E:::
uid:Daniel%20Kahn%20Gillmor%20%3Cdkg%40debian.org%3E:::

When i actually choose to download (i.e. via https://keys.mailvelope.com/pks/lookup?op=get&options=mr&search=0xC4BC2DDB38CCE96485EBE9C2F20691179038E5C6 ) then i only get the verified User ID. So that's also good.

But given the expectation that users have of a validating keyserver, the machine-readable listing probably has no business displaying non-validated User IDs.

[toberndo]

This is now fixed with the v4 update of the key server. Only verified User IDs will be returned with op=index.