German ct magazine postulates death of pgp encryption
andreas.schwier.ml at cardcontact.de
Fri Feb 27 21:12:25 CET 2015
>> But that's the main primary reason of the article at all. The fact
>> that anyone can upload _every_ key to a keyserver is an issue. If
> No, it is not, it has always been very clear no to rely on the
> existence of a key on either a keyserver or on a local keyring without
> proper verification and certification
So what exactly is the purpose of the keyserver then ? If you expect me
to still verify fingerprints out of band, why would I grab a - probably
bogus key - from a keyserver first place ? I could immediately ask my
peer to send it by mail.
The keyserver would make sense, if my mail client would automatically
fetch the public key from a server, based on the e-mail address of the
sender and some identity data (e.g. fingerprint) in the mail signature.
It would them prompt me, if I want to add that key to my keyring and
optionally perform some additional out-of-band checks.
Because normally I exchange keys in the context of establishing a
relationship with the sender of the e-mail. The context (mail arrived
expectedly, had a phone call just before, answers my request) allows to
me to make a cautious decision about the level of trust I have in the key.
I have been using GNUPG for ages now, but I verified fingerprints only a
hand-full of time. Most of the time, I ask my peer for his public key
and wait for the mail to arrive. For me web-of-trust and key signing
parties don't make any sense, because I'd rather start a communication
with a bogus key and establish trust in my genuine peer from the
conversation we are having.
I like the way Threema does it: I can immediately start a secure
communication and if I need I can elevate the trust I have in the key.
But most of the time I'm communicating with people I know anyway.
--------- CardContact Software & System Consulting
|.##> <##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'##> <##'| Phone +49 571 56149
More information about the Gnupg-users