German ct magazine postulates death of pgp encryption
Patrick Brunschwig
patrick at enigmail.net
Fri Feb 27 17:26:51 CET 2015
On 27.02.15 13:11, Kristian Fiskerstrand wrote:
> On 02/27/2015 12:43 PM, Hauke Laging wrote:
>> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:
>
>>> Maybe implementation with an opt-in could preserve publishing
>>> of faked keys on public keyservers?
>
>> We need keyservers which are a lot better that today's. IMHO
>> that also means that a keyserver should tell a client for each
>> offered certificate whether it (or a trusted keyserver) has made
>> such an email verification.
>
> The keyservers have no role in this, they are pure data store and
> can never act as a CA. That would bring up a can of worm of issues,
> both politically and legally, I wouldn't want to see the first case
> where a keyserver operator was sued for permitting a "fake key"
> (the term itself is very misleading, the key itself isn't fake at
> all, but a fully valid key where the UID has not been mated to its
> holder through proper validation).
But that's the main primary reason of the article at all. The fact
that anyone can upload _every_ key to a keyserver is an issue. If
keyservers would do some sort of verification (e.g. confirmation of
the email addresses) then this would lead to much more reliable data.
Furthermore, we need a feature to allow keys to be removed in case the
true owner of an email address requests it.
I know that this collides with today's keyservers and it also collides
with keyservers exchanging keys between each other, but I strongly
believe that this would make keyservers more trustworthy than today.
-Patrick
More information about the Gnupg-users
mailing list