[PATCH] ship sks-keyservers.netCA.pem in distributed tarball

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 10 00:21:31 CET 2015

Hi Christoph--

On Wed 2015-12-09 15:59:16 -0500, Christoph Anton Mitterer wrote:
> I still don't see how hkps adds any real security or trust... or
> privacy - at least not as a single measurement.

There are two significant gains:

A) do you want your keyserver pushes and fetches to be visible to
   everyone along the network path or whether you want them to be
   limited to whichever keyserver operator you end up choosing?

B) do you want your traffic to the keyserver (and its responses to you)
   to be undetectably modified by anyone along the network path, or do
   you want the tampering to be limited to the set of keyserver

This is very far from a complete security guarantee.  But it is
substantially better than cleartext over the public Internet.

At the very least, passive adversaries are blocked in this

Please don't make it harder to make some progress even though it's clear
that we all share the goal to eventually provide an even stronger



More information about the Gnupg-devel mailing list