looking up pgp keys

Hauke Laging mailinglisten at hauke-laging.de
Thu Sep 12 03:20:26 CEST 2013


Am Mi 11.09.2013, 18:48:57 schrieb John Clizbe:

> > Why aren't the results from the http://pgp.mit.edu:11371 signed with their
> > key? They have an http request but there is no way I can tell if I've
> > been mitm-ed.
> As others have replied, it's not the keyserver's responsibility

If the WoT is ever to be taken seriously (the obvious comparison is the 
signature law with its requirements for CAs) then this MUST be(come) the 
server's responsibility. If you cannot know (in a way you can prove) whether 
the information you get from the server is the current state of the 
certificate then the information is close to useless.

On the other hand you must be capable of proving that you have revoked your 
key at a certain date (and time).

We need a much better keyserver infrastructure before the OpenPGP user numbers 
explode (which I claim for the next five years as I am very actively working 
on that. I have given a lecture about OpenPGP at the German BSI last month and 
even without me bringing this up they mentioned that something had to be done 
about the keyserver situation. Thus I hope they will throw some money at that.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130912/46632842/attachment.sig>


More information about the Gnupg-devel mailing list