Keyservers and the future

Radu Hociung radu.gpg at
Fri May 20 00:29:30 CEST 2005

Erwan David wrote:
> A key is nothing without a way to add a trusted relation between this
>  key and the entity you want to authenticate. So I do not think those
>  "solutions" are worthwile. Either you accept mail only from people
> you know, or you accept mail only from people who paid some
> established company you have no other reason to trust than te fact
> this company is "well known".

Trust information is locally and privately established and managed, and
thus does not belong on the keyservers. That process of managing trust
is not the object of my question.

The scalability of trust management is a problem for MTA (mail
transport agents) vendors to solve.

The object of trust, however, is a key. Without a key there isn't much
to be trusted. The question is ... is the PGP architecture suited to a
load of hundreds of millions of keys, or even billions?

Are CA's and X509 certificates better equipped to handle the load?

There are several working groups that are working on email
authentication, and they are considering trust. Concepts such as trust,
reputation and accreditation, authorization and authentication are used
in various combinations. Some are bogus, some are quite solid  :)


More information about the Gnupg-users mailing list