keys require a user-id
Robert J. Hansen
rjh at sixdemonbag.org
Mon May 18 18:16:58 CEST 2020
> And by that changing the distributed system of keyservers into a
> centralized key database like PGP tried this with their Universal
> Server. Which unavoidable will change OpenPGP to a centralized systems.
I think that's a little excessive, Werner. OpenPGP was always intended
to be flexible on the subject of certificate distribution, and there are
many use cases where a single authoritative keyserver is preferred over
a distributed federation.
In 2001 I was the chief system administrator for a law firm which used
OpenPGP to secure client communications. (It didn't require clients to
use OpenPGP but provided it as an option for clients who were concerned
about email privacy.) The procedure was simple: when you opted into
OpenPGP you showed up at your attorney's office in person with your
certificate burned on a CD. Your attorney then called in a member of
the sysadmin staff (usually me) who would check fingerprints with you,
before signing it with the firm's trusted-introducer key and uploading
it to the firm's own keyserver.
Doing it this way meant we could skip long conversations about, "but
can't anybody get my certificate if it's on the internet?" Instead of
spending 30 minutes talking about why it's okay if public certificates
are shared, we could instead just say "we're not going to share your
public key with anyone without your written consent" and spend those 30
minutes talking abut more productive things.
Centralized key management schemes are sometimes very useful.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 821 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200518/9017fbee/attachment.sig>
More information about the Gnupg-users
mailing list