[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: “Keyservers are actually useless these days and I wish they could go
Re: “Keyservers are actually useless these days and I wish they could go away”
Wed, 17 Jul 2019 14:44:55 +0300
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
Werner Koch <firstname.lastname@example.org> wrote:
> Keyservers are actually useless these days and I wish they could go away.
An advocate of the ‘Web of Trust’ hardly agrees with that. I am not the one,
however I’m really intrigued — what do you suggest to use instead.
> Looking up key at a keyserver does not give you any indication that the key
> belongs to the claimed mail address.
But they was never intended to do so, was they? They are mean to reliably
_publish_ your key, and they have been doing their job fairly well, as far as I
can tell. What might the substitute? Bittorrent? Blockchain?
> A validating key server tries to fix this by claiming authority to check the
That’s an interesting sociotechnical task, but the topical issue is not about
verifying vs non-verifying.
I believe, nobody opposes to running a proprietary service for distributing
keys, verifying or not, gratis or paid (yes, why not?). Setting it as a
default is what I see as a dubious act.
Moreover, I suppose, few would have anything against a default server that also
optionally performs an email / SIP / GNU Social / whatever check, as long it’s
not a walled garden like keys.opengpg.org, that is detached from the de-facto
standard network (that was SKS) and therefore breaks seamless compatibility
between various GPG frontends and GPG-compatible clients.
Actually, if I am not mistaken, before the SKS-based WoT practically went out
of operation after the DoS-attack, doing that did not require any changes
neither in SKS, nor in GPG: a server could check the email and sign a key, and
a frontend check its signature — that’s all. Or am I mistaken?
> However, this gets us back into the X.509 centralized world.
But that does not, so long as no one is forbidden to run yet another verifier,
connected to the common WoT.
Description: PGP signature