looking up pgp keys

Robert J. Hansen rjh at sixdemonbag.org
Thu Sep 12 15:53:07 CEST 2013


On 9/11/2013 9:20 PM, Hauke Laging wrote:
> If the WoT is ever to be taken seriously (the obvious comparison is the 
> signature law with its requirements for CAs) then this MUST be(come) the 
> server's responsibility.

Why?

> If you cannot know (in a way you can prove) whether 
> the information you get from the server is the current state of the 
> certificate then the information is close to useless.

Then the information is close to useless.  There is no requirement that
people update the keyservers when they change their certificate.  Nor
could such a requirement possibly ever be enforced.

> On the other hand you must be capable of proving that you have revoked your 
> key at a certain date (and time).

Requires a trusted third party to do timestamping.  Trusted timestamp
services are also highly nontrivial and tend to be high-value targets
for compromise.

> We need a much better keyserver infrastructure before the OpenPGP user numbers 
> explode...

I've been hearing "we must do X before OpenPGP takes off" for the past
20 years.  After seeing many, many Xes go by, I'm deeply skeptical of
this claim.




More information about the Gnupg-devel mailing list