looking up pgp keys
Hauke Laging
mailinglisten at hauke-laging.de
Thu Sep 12 03:20:26 CEST 2013
Am Mi 11.09.2013, 18:48:57 schrieb John Clizbe:
> > Why aren't the results from the http://pgp.mit.edu:11371 signed with their
> > key? They have an http request but there is no way I can tell if I've
> > been mitm-ed.
> As others have replied, it's not the keyserver's responsibility
If the WoT is ever to be taken seriously (the obvious comparison is the
signature law with its requirements for CAs) then this MUST be(come) the
server's responsibility. If you cannot know (in a way you can prove) whether
the information you get from the server is the current state of the
certificate then the information is close to useless.
On the other hand you must be capable of proving that you have revoked your
key at a certain date (and time).
We need a much better keyserver infrastructure before the OpenPGP user numbers
explode (which I claim for the next five years as I am very actively working
on that. I have given a lecture about OpenPGP at the German BSI last month and
even without me bringing this up they mentioned that something had to be done
about the keyserver situation. Thus I hope they will throw some money at that.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130912/46632842/attachment.sig>
More information about the Gnupg-devel
mailing list