German ct magazine postulates death of pgp encryption

Andreas Schwier andreas.schwier.ml at cardcontact.de
Fri Feb 27 21:12:25 CET 2015


>> But that's the main primary reason of the article at all. The fact 
>> that anyone can upload _every_ key to a keyserver is an issue. If
> 
> No, it is not, it has always been very clear no to rely on the
> existence of a key on either a keyserver or on a local keyring without
> proper verification and certification
So what exactly is the purpose of the keyserver then ? If you expect me
to still verify fingerprints out of band, why would I grab a - probably
bogus key - from a keyserver first place ? I could immediately ask my
peer to send it by mail.

The keyserver would make sense, if my mail client would automatically
fetch the public key from a server, based on the e-mail address of the
sender and some identity data (e.g. fingerprint) in the mail signature.

It would them prompt me, if I want to add that key to my keyring and
optionally perform some additional out-of-band checks.

Because normally I exchange keys in the context of establishing a
relationship with the sender of the e-mail. The context (mail arrived
expectedly, had a phone call just before, answers my request) allows to
me to make a cautious decision about the level of trust I have in the key.

I have been using GNUPG for ages now, but I verified fingerprints only a
hand-full of time. Most of the time, I ask my peer for his public key
and wait for the mail to arrive. For me web-of-trust and key signing
parties don't make any sense, because I'd rather start a communication
with a bogus key and establish trust in my genuine peer from the
conversation we are having.

I like the way Threema does it: I can immediately start a secure
communication and if I need I can elevate the trust I have in the key.
But most of the time I'm communicating with people I know anyway.


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com




More information about the Gnupg-users mailing list