Garbled data in keyservers
Stefan Claas
stefan.claas at posteo.de
Sun Dec 9 19:54:56 CET 2018
On Sun, 9 Dec 2018 19:51:37 +0100, Stefan Claas wrote:
> On Sun, 09 Dec 2018 18:24:38 +0100, Dirk Gottschalk wrote:
Hi Dirk,
>
> > Get a sig from a CA and then upload your key via email.
> > Then the key servers do something like a gpg --check-sigs
> > to see if a key bears a valid CA sig and if it is found in their
> > index the key will be added to the network, once the submitted
> > UID matches with the email address header. So no cryptographic
> > verification is imho needed. This would also eliminate, i think,
> > > that someone else can upload someone else's pub key.
> >
> > And who decides which CA ist trustworthy and which is not? The
> > problem ist, like in the X.509 land, that it depends on an initial
> > trust to one or more central authorities. Who decides whom one can
> > trust.
If trusted organizations like EFF etc. would run a CA...
> > And further, why should anyone run something like a ca CA for
> > free.
Nobody said that it should be free.
> > And then again the question, who decides who get's the nedded
> > trust?
I have learned in the past the phrase "trust nobody" when it comes
to IoT. That means also I don't have to trust GnuPG users, for
example... ;-)
Regards
Stefan
--
https://www.behance.net/futagoza
https://keybase.io/stefan_claas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181209/54e4ac48/attachment.sig>
More information about the Gnupg-users
mailing list