German ct magazine postulates death of pgp encryption

Patrick Brunschwig patrick at enigmail.net
Sun Mar 1 16:35:36 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 01.03.15 15:58, Kristian Fiskerstrand wrote:
> On 03/01/2015 03:41 PM, Patrick Brunschwig wrote:
>> On 27.02.15 20:56, Werner Koch wrote:
>>> On Fri, 27 Feb 2015 17:26, patrick at enigmail.net said:
> 
>>>> that anyone can upload _every_ key to a keyserver is an
>>>> issue. If keyservers would do some sort of verification
>>>> (e.g. confirmation of the email addresses) then this would
>>>> lead to much more reliable data.
> 
>>> We have such a system. It is called S/MIME.
> 
>>> Ever tried to find an S/MIME (X.509) key (aka certificate) for
>>> an arbitrary mail address?  The only working solution to get
>>> such a key is by sending a mail and asking for the key.  You
>>> can do the very same with PGP of course.  Keyservers along with
>>> visting cards are much nicer.
> 
>>> So, why is there no public service to distribute X.509 keys? 
>>> Because nobody want to be legally responsible for such a key 
>>> unless you push a stack of money over the table for a qualified
>>>  signature certificate.
> 
>> I would not go that far as trying to guarantee the identity of 
>> key. But I think if a keyserver could do some basic verification
>> of keys, it would make OpenPGP a lot easier to use for email.
> 
>> The idea I have in mind is roughly as follows: if you upload a
>> key to a keyserver, the keyserver would send an encrypted email
>> to every UID in the key. Each encrypted mail contains a unique
>> link to confirm the email address. Once all email addresses are
>> confirmed, the key is validated and the keyserver will allow
>> access to it just like with any regular keyserver.
> 
> 
> You already have a variant of this at https://keyserver.pgp.com 
> (although I don't recall if they send the requests encrypted, I 
> haven't looked into the service in years)
> 
> In general I believe this to be an insufficient form of
> identification that really doesn't provide much of anything useful,
> but at least the PGP keyserver does it reasonably sane in its
> methodology by creating a signature from their CA on the key.
> Whether you put any merit to having such a CA signature or not is
> left up to the user (excluding for now the "fun" related to the
> spammy number of signatures from it)

Yes, I know. The re-confirmation every few months together with
re-signing the keys is among the things I dislike about
keyserver.pgp.com. But in general, I think that keyservers need to go
in that direction if we want to enable easy use of OpenPGP in email
(which requires in some way or another to download missing keys
automatically).

- -Patrick

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU8zHGAAoJENsRh7ndX2k7dNMQAKpRyStQFPRszQ4V52VS9Cuk
NTwUeRJ/ZIpM4OU0g1/3pXCMRI3xlSz0ts0Dh2ddMo2xcso5kS1X64DzrR6Sj6XT
AF2hBr9rkU+vZN7KAjdlvOPbZruXZEqCQlLm0aAxVPDRY+AKC4YSTKHR4OvAnlyY
mSFXDG7T/m6n8stwWrkY1M3PzD7UJCXH9Qsfb98oYOcP62MJlZW7H2byIgwVHvCK
ijnCJ7YZNRYTpOwfn2WtN+hP5AksrF1uQwQn/ApbgOVuvPwIl2+MhdbY9wjzv3WB
QFD4472Xho1vLsvT+qTHAskI4l5InnIhuxDVVRsr7OAGjbNPmSiph18+3A1vQOuy
mkkBUYJblifM2hmhKTBTNhJyD/TYvhVrC35Tb3J+eq2RhaStivjlKFH9tH9FgBBR
tz1R8OIdq4A3ZyHPYXBvvuYe+geZmUEOOAtTA7JDPvXrwrtLeGKvNJ31UaFd7kGd
odk5PNRscWJIeQfSEwNCUyzzKexWjj14OFLCd4D9ylNVEHWhHOCEgMmgZaAVIduH
oE5ChgCWLx44WQPA5O+bMEY4+WYJaJEk/tkwLHuY9CB98kGd3DmdK5BCh4WI6NLX
O0Z3b7gDQfTxdi5fHJtHA16rtigA4zpkKz3Z4kgJUzVfnf2ikcU4+ppJX/Pd+4jZ
Wt5Mq+MmViexsE/J/BFA
=c5nb
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list