German ct magazine postulates death of pgp encryption

Kristian Fiskerstrand kristian.fiskerstrand at
Fri Feb 27 21:07:02 CET 2015

Hash: SHA512

On 02/27/2015 08:42 PM, Werner Koch wrote:
> On Fri, 27 Feb 2015 19:37, marcozehe-ml at said:
>> And here’s the other problem the main article in c’t mentions:
>> Those keys, although faked, were certified. They were certified
>> by equally faked keys which resemble keys that are quite
>> well-known. So unless
> Nope.  According to the questions the author sent me prior to
> publishing this article, he only looked at listing presented by the
> keyserver and concluded that if the web pages tells self-signature
> the user id must be valid (e.g. that second user id on the c't PGP
> CA).  Now we all know that keyservers don't do crypto.  As soon as
> you import that key the user ids with the faked self-signature are
> simply ignored and a listing by gpg won't show them.

the author was fully aware of this, he contacted me back in May 2014
already regarding these keys and asked me to provide a list of keys
that had been signed by some specific keys (the fake CA keys). That
list was provided after a quick lookup - there were 7 keys in total
that had been signed with them.

> To avoid that in the future, the signature listing from the
> keyservers may add a note about this.

Increasing the information on keyservers like this, in particular in
the descriptive parts can be considered, would it suffice to be part
of the standard web interface for keyserver intro, or would it have to
be added on each individual index page?

- -- 
- ----------------------------
Kristian Fiskerstrand
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Veni vidi velcro
I came, I saw, I got stuck


More information about the Gnupg-users mailing list