Garbled data in keyservers

Dirk Gottschalk dirk.gottschalk1980 at googlemail.com
Sun Dec 9 20:13:46 CET 2018


Am Sonntag, den 09.12.2018, 19:54 +0100 schrieb Stefan Claas:
> On Sun, 9 Dec 2018 19:51:37 +0100, Stefan Claas wrote:
> > On Sun, 09 Dec 2018 18:24:38 +0100, Dirk Gottschalk wrote:
>  
> Hi Dirk,
> > > Get a sig from a CA and then upload your key via email.
> > > Then the key servers do something like a gpg --check-sigs
> > > to see if a key bears a valid CA sig and if it is found in their
> > > index the key will be added to the network, once the submitted
> > > UID matches with the email address header. So no cryptographic
> > > verification is imho needed. This would also eliminate, i think,
> > > > that someone else can upload someone else's pub key.    
> > > 
> > > And who decides which CA ist trustworthy and which is not? The
> > > problem ist, like in the X.509 land, that it depends on an
> > > initial
> > > trust to one or more central authorities. Who decides whom one
> > > can
> > > trust.  

> If trusted organizations like EFF etc. would run a CA...

> > > And further, why should anyone run something like a ca CA for
> > > free.  
 
> Nobody said that it should be free.

That's a point one would have to discuss. A small one time fee would be
okay, but not to much, ore we are at the same point like in X.509 land
and nobody wants to invest, except for real good reasons.


> > > And then again the question, who decides who get's the nedded
> > > trust?  

> I have learned in the past the phrase "trust nobody" when it comes
> to IoT. That means also I don't have to trust GnuPG users, for
> example... ;-)

Exactly this is the point where the key signatures get in place. You
can decide whom you trust, or not, and how far your trust goes.
Than you can see, if somebody you don't know yet is trusted by a user
you trust. Then the trustdb comes into place. Exactly this is how PGP
works. PGP is not a replacement for the X.509 infrastructure like it is
used in companies or other organizations. And even there often PGP is
enough, at least for Email signature or encryption.

I'm still not sure what you're trying to achieve. A Replacement for
X.509?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181209/73a079b5/attachment-0001.sig>


More information about the Gnupg-users mailing list