This article defines some cryptography concepts associated with using PGP software products.
Public Key Server
A public key server, such as the PGP Global Directory, is a publicly accessible server that provides a method for exchanging public keys with others.
Email Verification of Keys
Upload: When you submit your public key to the PGP Global Directory, a verification email is automatically sent to the email address(es) on your key, requesting that you verify the submission. During this time, your public key remains in a pending area and is not actually published in the directory. Once you verify that the key you submitted is indeed associated with your email address, the key is published with that particular email address. If your key is associated with multiple email addresses, only the email addresses you verify will be published. Unverified email addresses and/or keys are not published in the directory, and are removed from the pending area 14 days after submission. Legacy key servers allow anyone to upload any key, regardless of the email address(es) on the key. As a result, legacy key servers cannot be considered trusted key servers. The PGP Global Directory's upload verification process provides some measure of assurance that a key associated with your email address is really your key.
Removal: At any point after you have submitted your public key to the PGP Global Directory, you may submit a request to have that key removed from the directory. This causes the PGP Global Directory to send a verification email to the email address(es) for which you requested removal. Some legacy key servers do not allow for key removal, while others require the administrator of the server to approve and carry out the removal. If you don't want people using your public key anymore (e.g. because you have lost your private key or forgotten its passphrase), the PGP Global Directory's removal verification process provides you with the ability to remove your key from the directory in a matter of seconds.
Re-verification: Six months from the submission of your key, and every six months thereafter, the PGP Global Directory automatically sends an email to the email address(es) on your key, requesting that you re-verify them. Email addresses and/or keys that are not re-verified within 14 days of the sending of the re-verification email(s) are removed from the directory automatically. Legacy key servers do not require the periodic re-verification of keys in the directory. As a result, legacy key servers often contain "stale", or unused, keys. The PGP Global Directory's re-verification process ensures that only current keys are published.
The PGP Global Directory will not publish two different keys that contain the same email address, meaning that it is not possible to search the PGP Global Directory by email address and get multiple results. Legacy key servers will accept and publish any number of keys that contain the same email address, which can lead to confusion, and can even be exploited by attackers who hope that the wrong public keys will be used for encryption. The PGP Global Directory's one-key limit helps to mitigate such problems.