Download of public keys
sivmu at web.de
sivmu at web.de
Fri Feb 17 22:28:19 CET 2017
Am 17.02.2017 um 21:57 schrieb Kristian Fiskerstrand:
> On 02/17/2017 09:46 PM, sivmu at web.de wrote:
>> Am 17.02.2017 um 20:43 schrieb Kristian Fiskerstrand:
>>> On 02/17/2017 07:17 PM, Kristian Fiskerstrand wrote:
>
>
>>>
>>> That change would also be consistent with
>>> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fb482252436b3b4b0b33663d95d1d17188ad1d9
>>>
>>
>>>
>> Not quite sure I get this.
>>
>> So what this means is that effectively gnupg still uses plaintext
>> connections to update public keys by default, does it not?
>
> Yes (if not a tor configuration locally)
>
>> If the
>> change I suggested is not correct, shouldn't we find another way to
>> use secure connection by default whenever possible?
>
> Probably nitpick, but it would likely increase privacy - not security.
>
That was the goal all along, as mentioned in the initial post some weeks ago.
Especially when the complete keyring is updated, this leaks the complete contact list to the network, which is kinda bad. And privacy is kinda also somthing people use gnupg for isn't it.
So I don't know the best way to change this but I would like to suggest that future versions use https only by default, e.g. by changing the skel file.
More information about the Gnupg-users
mailing list