[PATCH] ship sks-keyservers.netCA.pem in distributed tarball
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Dec 10 00:21:31 CET 2015
Hi Christoph--
On Wed 2015-12-09 15:59:16 -0500, Christoph Anton Mitterer wrote:
> I still don't see how hkps adds any real security or trust... or
> privacy - at least not as a single measurement.
There are two significant gains:
A) do you want your keyserver pushes and fetches to be visible to
everyone along the network path or whether you want them to be
limited to whichever keyserver operator you end up choosing?
B) do you want your traffic to the keyserver (and its responses to you)
to be undetectably modified by anyone along the network path, or do
you want the tampering to be limited to the set of keyserver
operators?
This is very far from a complete security guarantee. But it is
substantially better than cleartext over the public Internet.
At the very least, passive adversaries are blocked in this
configuration.
Please don't make it harder to make some progress even though it's clear
that we all share the goal to eventually provide an even stronger
guarantee.
Regards,
--dkg
More information about the Gnupg-devel
mailing list