dshaw at jabberwocky.com
Fri Jun 15 05:10:52 CEST 2012
On Jun 14, 2012, at 4:34 PM, Robert J. Hansen wrote:
>> 1) If the keyserver (of whatever type) isn't reachable...
> As you say, easy to solve: agreed.
>> 2) Concern that enough people turning this feature on would add
>> significant load to the keyserver network...
> An open question and one we'd need to address: agreed.
>> 3) It leaks information more than auto-key-retrieve or
>> auto-key-locate does.
> I'm not entirely sure this is a problem. If you're concerned about the
> keyserver operator knowing that you're acquiring certificates, why would
> you use that keyserver? Why not use a different keyserver instead? If
> there were a single centralized keyserver, or a keyserver hierarchy
> where individual nodes took marching orders from those above them, this
> would be much more of a problem -- but here, the decentralized nature of
> the keyserver network seems to work in our favor.
It's a similar problem in type as auto-key-retrieve or auto-key-locate, but it's a different problem in degree: both AKR and AKL fire only as needed (either when a key is needed for sig verification, or when a key is needed to encrypt to). That's a single fetch for the life of the key (you might fetch it more via other means, but AKR and AKL (barring special configuration) will never fetch a key you already have). Fetching the key on each usage means it leaks each time you use the key. Plus remember that by default, GPG honors keyserver URLs on the key, which if combined with this new feature enables IP-address tracking of a person encrypting to a particular key (it's the same web-bug trick as AKR, but with encryption).
I don't think this should prevent such a feature from being added. As with many tools, one person's foolish usage is another person's useful feature. Like I said earlier, though, it does need to be off by default, as AKR and AKL are, and also like AKR and AKL, documented so people can make an informed decision on whether to use it or not.
Werner also showed a way to configure AKL to always fetch a key from a keyserver, which can be done with today's code.
More information about the Gnupg-users