German ct magazine postulates death of pgp encryption
Kristian Fiskerstrand
kristian.fiskerstrand at sumptuouscapital.com
Sun Mar 1 15:58:27 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 03/01/2015 03:41 PM, Patrick Brunschwig wrote:
> On 27.02.15 20:56, Werner Koch wrote:
>> On Fri, 27 Feb 2015 17:26, patrick at enigmail.net said:
>
>>> that anyone can upload _every_ key to a keyserver is an issue.
>>> If keyservers would do some sort of verification (e.g.
>>> confirmation of the email addresses) then this would lead to
>>> much more reliable data.
>
>> We have such a system. It is called S/MIME.
>
>> Ever tried to find an S/MIME (X.509) key (aka certificate) for an
>> arbitrary mail address? The only working solution to get such a
>> key is by sending a mail and asking for the key. You can do the
>> very same with PGP of course. Keyservers along with visting
>> cards are much nicer.
>
>> So, why is there no public service to distribute X.509 keys?
>> Because nobody want to be legally responsible for such a key
>> unless you push a stack of money over the table for a qualified
>> signature certificate.
>
> I would not go that far as trying to guarantee the identity of
> key. But I think if a keyserver could do some basic verification of
> keys, it would make OpenPGP a lot easier to use for email.
>
> The idea I have in mind is roughly as follows: if you upload a key
> to a keyserver, the keyserver would send an encrypted email to
> every UID in the key. Each encrypted mail contains a unique link to
> confirm the email address. Once all email addresses are confirmed,
> the key is validated and the keyserver will allow access to it just
> like with any regular keyserver.
>
You already have a variant of this at https://keyserver.pgp.com
(although I don't recall if they send the requests encrypted, I
haven't looked into the service in years)
In general I believe this to be an insufficient form of identification
that really doesn't provide much of anything useful, but at least the
PGP keyserver does it reasonably sane in its methodology by creating a
signature from their CA on the key. Whether you put any merit to
having such a CA signature or not is left up to the user (excluding
for now the "fun" related to the spammy number of signatures from it)
- --
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"Excellence is not a singular act but a habit. You are what you do
repeatedly."
(Shaquille O'Neal)
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJU8ykPAAoJEP7VAChXwav67LoIAJdaEldVcwdGAXE0u+Bk4pse
N93PY/LUYiDeEZvnfaa75EBSKBllnYZdDW0Dk9TAPos/PE1XWa4BFN4VIpjpa665
Hy94vpiE2Fvx+MYGO52qz/AHmSMkAD8z3wxIVLX+5MSFLRP/gmJz1E6/2YL9afEt
I2DSaE5XS2NNL9w6cX3SRgK52bEP1XZlRa3n+sSYAzGwZiGbthr67RV3jqadYbCw
hU7MDKhgrARc6ZSpycDbs1kLacgrXBsx2PpvqDPHghU1SuoglkJ8ZFYz/Y725k9z
LPmIvhx7jXHdqVo9JiTeDVubMylU2oqdnjBer9IrVywUCLEwKRGifhFMZOUV52U=
=uiJ3
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list