German ct magazine postulates death of pgp encryption

Werner Koch wk at
Fri Feb 27 20:42:30 CET 2015

On Fri, 27 Feb 2015 19:37, marcozehe-ml at said:

> And here’s the other problem the main article in c’t mentions: Those
> keys, although faked, were certified. They were certified by equally
> faked keys which resemble keys that are quite well-known. So unless

Nope.  According to the questions the author sent me prior to publishing
this article, he only looked at listing presented by the keyserver and
concluded that if the web pages tells self-signature the user id must be
valid (e.g. that second user id on the c't PGP CA).  Now we all know
that keyservers don't do crypto.  As soon as you import that key the
user ids with the faked self-signature are simply ignored and a listing
by gpg won't show them.

To avoid that in the future, the signature listing from the keyservers
may add a note about this.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list