Garbled data in keyservers
stefan.claas at posteo.de
Sun Dec 9 19:54:56 CET 2018
On Sun, 9 Dec 2018 19:51:37 +0100, Stefan Claas wrote:
> On Sun, 09 Dec 2018 18:24:38 +0100, Dirk Gottschalk wrote:
> > Get a sig from a CA and then upload your key via email.
> > Then the key servers do something like a gpg --check-sigs
> > to see if a key bears a valid CA sig and if it is found in their
> > index the key will be added to the network, once the submitted
> > UID matches with the email address header. So no cryptographic
> > verification is imho needed. This would also eliminate, i think,
> > > that someone else can upload someone else's pub key.
> > And who decides which CA ist trustworthy and which is not? The
> > problem ist, like in the X.509 land, that it depends on an initial
> > trust to one or more central authorities. Who decides whom one can
> > trust.
If trusted organizations like EFF etc. would run a CA...
> > And further, why should anyone run something like a ca CA for
> > free.
Nobody said that it should be free.
> > And then again the question, who decides who get's the nedded
> > trust?
I have learned in the past the phrase "trust nobody" when it comes
to IoT. That means also I don't have to trust GnuPG users, for
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
More information about the Gnupg-users