German ct magazine postulates death of pgp encryption

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Tue Mar 3 16:20:34 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/03/2015 01:50 PM, Hans of Guardian wrote:
> 
> On Feb 27, 2015, at 1:11 PM, Kristian Fiskerstrand wrote:
> 
> On 02/27/2015 12:43 PM, Hauke Laging wrote:
>>>> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:
>>>> 
>>>>> Maybe implementation with an opt-in could preserve
>>>>> publishing of faked keys on public keyservers?
>>>> 
>>>> We need keyservers which are a lot better that today's. IMHO 
>>>> that also means that a keyserver should tell a client for
>>>> each offered certificate whether it (or a trusted keyserver)
>>>> has made such an email verification.
> 
> The keyservers have no role in this, they are pure data store and 
> can never act as a CA. That would bring up a can of worm of
> issues, both politically and legally, I wouldn't want to see the
> first case where a keyserver operator was sued for permitting a
> "fake key" (the term itself is very misleading, the key itself
> isn't fake at all, but a fully valid key where the UID has not been
> mated to its holder through proper validation).
> 
> 
>> The standard PGP keyserver pool is a mess with racist spam, lost 
>> keys that will be there forever, etc.  The concept of email 
>> validation is very very common and proven in internet service 
>> providers.

And anyone is free to set up a CA that performs this validation and
signs the returned key.

>> It is time for OpenPGP keyservers to join the rest of the
>> internet.
> 

They are already quite up to date, SKS 1.1.5+ (development master)
even supports the experimental Ed25519 draft used by GnuPG. What you
are proposing here isn't about joining the rest of the internet, it is
about subverting the security by introducing a false sense of security
and even worse, that opens up well known attack vectors.

By the way, an OpenPGP key is fully valid without any email address as
part of any UID.

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Acta est fabula
So ends the story
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJU9dE9AAoJEP7VAChXwav6ThcH/iTlxKZA9VQoExj8BEueXx61
hC1vCYwozu03+D1NnEjaR4M60i3M+rGz47NNQ3CXGgSkMNP1jp5WYt2V1TZ9maWO
Ho5O1XEqXAW0KGmoKUCmRFPstAWjySpa1fOc/4Zx6N9Ay4WqzPxu7OyJwK174AKz
LKahw+LRntlbj7NrgJqFwQfXzbqKO23oFD9bd4Z9dX4UuM7lWnSk55AKw7K3R2gW
UnTt4DAdBEDjz3IwClFCArY87MiW+i2F7sSmg6MkH4A6LkSQRjvSgUa0+tUO+4SR
yHC9KVV1Ru+JxJsxcqM9gOjU1i5Pq9qc7/z5+oNvgju7ltPAKLB6MJjOz4RK1BM=
=7Z2B
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list