HKPS [was 0xdeadbeef]

David Leon Gil coruus at
Fri Oct 10 21:15:46 CEST 2014

So this doesn't get lost: I'm convinced by dkg and Kristian's
arguments: Use hkps with

GnuPG 2.1 will ship with hkps enabled by default, I believe, and
Kristian's CA. (I don't think 2.0 does yet.)

On Fri, Oct 10, 2014 at 12:27 PM, Kristian Fiskerstrand
<kristian.fiskerstrand at> wrote:
> You are quite correct that I probably wouldn't, and my primary income
> is from another industry, but at the same time that does bring a
> protection as I wouldn't be discouraged to fight any oppression.

I do agree about that.

And, in fact: I failed to thank you! I've used the SKS pool you
operate for many years. You provide a critical public service.

> Although for the root
> CAs the major problem is simply the amount of CAs accepted by standard
> implementations, several of which are run by various governments. In
> the end it comes down to what the threat model is and whom you're
> protecting yourself from.

Very much agreed; my particular threat model for this *isn't*
protection against the NSA. (Aside from perhaps protection from
traffic analysis.) It's protection against much weaker threats.

> Currently the only criteria for whether someone gets a certificate for
> a server in the pool is based on technical merits . . .

One thing that one can do (which I do when I don't have a copy of a
key in one of my local keydumps) is use the strategy of Tor's
"tlsdate": use a set of servers which are unlikely to be controlled by
the same adversary.

More information about the Gnupg-devel mailing list