looking up pgp keys

Tim Prepscius timprepscius at gmail.com
Tue Sep 10 02:40:42 CEST 2013


Thank you very much for this feed back.

I'm thinking, thinking, thinking...


Here is sort of a naive question:

Why aren't the results from the http://pgp.mit.edu:11371 signed with their key?
They have an http request but there is no way I can tell if I've been mitm-ed.


I should be able to ask each server I request from, the public key of
the other servers, and then check the signature of each against each
other

??

Is this implemented and I'm missing it somehow?

-tim


On 9/9/13, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 09/09/2013 02:12 AM, Phil Pennock wrote:
>
>> Note that most recipient mail-servers will not also run PGP keyservers,
>> If you want that approach to take off, I suggest figuring out a DNS
>> scheme for asking for SRV records _mail-openpgp._tcp.example.org or
>> somesuch.  The details don't matter.
>
> If you do something like that, please don't make up your own scheme.
> The current proposed draft for this kind of lookup is from Paul Wouters:
>
>   https://tools.ietf.org/html/draft-wouters-dane-openpgp
>
> If you are working on implementing this sort of scheme, and you evaluate
> your threat models sensibly like Phil is suggesting, and you think you
> see a problem with it, or a way it could be improved, you should mention
> it to Paul.  i'm sure he would be happy to get feedback from
> implementors for a revised draft if it is necessary.
>
> Regards,
>
> 	--dkg
>
>



More information about the Gnupg-devel mailing list