German ct magazine postulates death of pgp encryption

Kristian Fiskerstrand kristian.fiskerstrand at
Fri Feb 27 13:11:33 CET 2015

Hash: SHA512

On 02/27/2015 12:43 PM, Hauke Laging wrote:
> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:
>> Maybe implementation with an opt-in could preserve publishing of
>> faked keys on public keyservers?
> We need keyservers which are a lot better that today's. IMHO that
> also means that a keyserver should tell a client for each offered
> certificate whether it (or a trusted keyserver) has made such an
> email verification.

The keyservers have no role in this, they are pure data store and can
never act as a CA. That would bring up a can of worm of issues, both
politically and legally, I wouldn't want to see the first case where a
keyserver operator was sued for permitting a "fake key" (the term
itself is very misleading, the key itself isn't fake at all, but a
fully valid key where the UID has not been mated to its holder through
proper validation).

Another way this is being handled in some systems is dedicated
keyservers for an organization (standard is keys.[domain] in the cases
I've seen) that looks up key using LDAP. This is a read-only store
that is connected to the Domain Controller / Active Directory in the
system I'm thinking of. So at least Symantec Encryption Server checks
for the existence of such a keyserver when sending and asking it for
it. The keys are automatically maintained with a short time to expiry
requiring frequent refreshes. I understand the rationale, but would
rather see a CA involved in this (i.e a Company Employee CA).

People need to understand that operational security is critical for
any security of a system and validate the key through secondary
channel (fingerprint, algorithm type, key length etc verifiable
directly or through probabilistic measures e.g. based on historical
postings on mailing lists over a long time for a project etc).

- -- 
- ----------------------------
Kristian Fiskerstrand
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Ubi mel ibi apes
Where there's honey, there are bees


More information about the Gnupg-users mailing list