Garbled data in keyservers

Dirk Gottschalk dirk.gottschalk1980 at googlemail.com
Sun Dec 9 20:34:55 CET 2018


Am Sonntag, den 09.12.2018, 20:03 +0100 schrieb Stefan Claas:
> On Sun, 9 Dec 2018 19:38:31 +0100, Stefan Claas wrote:
> > On Sun, 09 Dec 2018 08:23:03 -0900, justina colmena via Gnupg-users
> > wrote:
> > > On December 9, 2018 7:54:01 AM EST, Stefan Claas
> > > <stefan.claas at posteo.de> wrote::  
> > > > Get a sig from a CA and then upload your key via email.
> > > >    
> > > That's a bit steep, and was never the original goal of PGP or
> > > GPG.  

> > No, in 2018 i think it is not. CA's can be run by non-profit
> > organizations like EFF etc., which i believe a lot of people trust.

> > Then don't forget all the worldwide assurers from CAcert.org.

> > > If the goal is to eliminate the bulk of bad keys and junk from
> > > key
> > > servers, an account creation with basic email verification for
> > > adding or removing keys should suffice.  

> > I don't think so. Create an anon account at ProtonMail via Tor for
> > example and then do "funny stuff" with those keys.

> My proposal could be run also in parallel. I think it would be
> only a weekend job for a programmer to modify the server code,
> so that it accepts only incoming and verified email and not web
> or GnuPG via Tor submissions.

That's also what GPG is made for. Privacy. So TOR usage is quite okay.
The Idea with an email bot instead of a HKP for upload is something
that could be taken into consideration to validate sender and key, I
agree.

A weekend job... Muhahahahahahaha, you don't do much programming, don't
you? One would have to write an email bot, change the keyserver code to
no longer accept submissions via HKP, then it would be neccessary do
disable HKP for upload in GnuPG to avoid broken Clients and so on.

> People can then still use the old key servers (until they may become
> obsolete...) or use keybase.

Keybase is an option, yes., And the Keyservers could be fixed. HKP for
retrieval is very comfortable and there is no need to disable also the
retrieval.

> To bad that Werner's WKD is not widely adopted from email
> service providers...

WKD is a good thing, but has not yet widely spread. I think one oif the
problems is the small amount of users demanding it.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181209/72a14e44/attachment.sig>


More information about the Gnupg-users mailing list