? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?

Miroslav Rovis miro.rovis at croatiafidelis.hr
Wed Dec 28 11:43:43 CET 2016

On 161227-22:54+0100, NdK wrote:
> Il 27/12/2016 22:09, Don Warner Saklad ha scritto:
> > What do you kind folks out there make of comments at
> > https://stallman.org/gpg.html
> >  >"I'm told that key servers carry many phony keys claiming to be
> >    mine. Here is info about which keys are really mine."
> > 
> >  >"Of course, to be really sure which key is mine, you need to get my
> >    key fingerprint from me or follow a chain of signatures. If a phony
> >    key appears to be signed by someone you trust, you should see what's
> >    up with that person."
> > 
> > 
> > and 4th sentence from the top at
> > https://stallman.org
> >  >"If you want to send me GPG-encrypted mail, do not trust key servers!
> >    Some of them have phony keys under my name and email address, made by
> >    someone else as a trick. See gpg.html for my real key."
> Why do you find it strange?
> Keyservers are just public write-only repositories that do not attempt
> to verify the keys.
> You have to verify the keys via the WoT (web of trust: "follow a chain
> of signatures"), or by other means ("see gpg.html for my real key"), and
> that's what Stallman says. Better do both: check that the chain
> identifies the key given in gpg.html (must be retrieved via https).

It's a different topic, but it might have the unreliability of
keyservers for its justification:

The fact that Github, since this outgoing year, accept gpg signing only
if you post your public key to their servers.

Or does it? Is it more like Github wants to collect and control?

I know it was possible to:

$ cd <your git project>
$ git tag <version> -s
$ git push --tags

and all was there, signed and verifiable for everbody, without the need
to have previously posted your own public key to github.com. Up until
just last year, IIRC.

Any ideas for true reasons behind that move? And is it an improvement,
or quite the contrary?

Miroslav Rovis
Zagreb, Croatia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: </pipermail/attachments/20161228/f8b27ff8/attachment.sig>

More information about the Gnupg-users mailing list