[PATCH] ship sks-keyservers.netCA.pem in distributed tarball

Christoph Anton Mitterer calestyo at scientia.net
Thu Dec 10 00:33:48 CET 2015


On Wed, 2015-12-09 at 18:21 -0500, Daniel Kahn Gillmor wrote:
> A) do you want your keyserver pushes and fetches to be visible to
>    everyone along the network path or whether you want them to be
>    limited to whichever keyserver operator you end up choosing?
> 
> B) do you want your traffic to the keyserver (and its responses to
> you)
>    to be undetectably modified by anyone along the network path, or
> do
>    you want the tampering to be limited to the set of keyserver
>    operators?
Both, however, don't protect against any attacker simply setting up a
keyserver and directly trying to get privacy related information or
mangle around with the data.

> This is very far from a complete security guarantee.  But it is
> substantially better than cleartext over the public Internet.
Agreed, but as I've said... we shouldn't make ourself believe that this
makes things really secure... (or even trustworthy).


> Please don't make it harder to make some progress even though it's
> clear
> that we all share the goal to eventually provide an even stronger
> guarantee.
I don't think I've said or did anything that made it harder... just
that this alone isn't enough.


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: </pipermail/attachments/20151210/e4012bb4/attachment-0001.bin>


More information about the Gnupg-devel mailing list