[PATCH] ship sks-keyservers.netCA.pem in distributed tarball

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 10 00:21:31 CET 2015


Hi Christoph--

On Wed 2015-12-09 15:59:16 -0500, Christoph Anton Mitterer wrote:
> I still don't see how hkps adds any real security or trust... or
> privacy - at least not as a single measurement.

There are two significant gains:

A) do you want your keyserver pushes and fetches to be visible to
   everyone along the network path or whether you want them to be
   limited to whichever keyserver operator you end up choosing?

B) do you want your traffic to the keyserver (and its responses to you)
   to be undetectably modified by anyone along the network path, or do
   you want the tampering to be limited to the set of keyserver
   operators?

This is very far from a complete security guarantee.  But it is
substantially better than cleartext over the public Internet.

At the very least, passive adversaries are blocked in this
configuration.

Please don't make it harder to make some progress even though it's clear
that we all share the goal to eventually provide an even stronger
guarantee.

Regards,

     --dkg



More information about the Gnupg-devel mailing list