Garbled data in keyservers

Dirk Gottschalk dirk.gottschalk1980 at
Sun Dec 9 18:24:38 CET 2018


Am Sonntag, den 09.12.2018, 13:54 +0100 schrieb Stefan Claas:
> On Thu, 06 Dec 2018 15:22:14 +0100, Werner Koch wrote:
> > > That's right, but my thought is / was someone can (ab)use key
> > > servers as data storage / retrieval system and then only provides
> > > the key id  
> > 
> > As it has been commeted, there are easier ways to do that.

> I have read also the threads at sks devel ML and my suggestions
> would be that we need more international CA's to get rid of all
> the problems, the key server network has.

> People should think about the following:

> Get a sig from a CA and then upload your key via email.
> Then the key servers do something like a gpg --check-sigs
> to see if a key bears a valid CA sig and if it is found in their
> index the key will be added to the network, once the submitted
> UID matches with the email address header. So no cryptographic
> verification is imho needed. This would also eliminate, i think,
> that someone else can upload someone else's pub key.

And who decides which CA ist trustworthy and which is not? The problem
ist, like in the X.509 land, that it depends on an initial trust to one
or more central authorities. Who decides whom one can trust.

And further, why should anyone run something like a ca CA for free.
Sure, CAcert does it. But that's the onlöy organisation I know who does

And then again the question, who decides who get's the nedded trust?


Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Gnupg-users mailing list