Garbled data in keyservers

Stefan Claas stefan.claas at
Sun Dec 9 19:54:56 CET 2018

On Sun, 9 Dec 2018 19:51:37 +0100, Stefan Claas wrote:
> On Sun, 09 Dec 2018 18:24:38 +0100, Dirk Gottschalk wrote:
Hi Dirk,
> > Get a sig from a CA and then upload your key via email.
> > Then the key servers do something like a gpg --check-sigs
> > to see if a key bears a valid CA sig and if it is found in their
> > index the key will be added to the network, once the submitted
> > UID matches with the email address header. So no cryptographic
> > verification is imho needed. This would also eliminate, i think,
> > > that someone else can upload someone else's pub key.    
> > 
> > And who decides which CA ist trustworthy and which is not? The
> > problem ist, like in the X.509 land, that it depends on an initial
> > trust to one or more central authorities. Who decides whom one can
> > trust.  

If trusted organizations like EFF etc. would run a CA...

> > And further, why should anyone run something like a ca CA for
> > free.  
Nobody said that it should be free.

> > And then again the question, who decides who get's the nedded
> > trust?  

I have learned in the past the phrase "trust nobody" when it comes
to IoT. That means also I don't have to trust GnuPG users, for
example... ;-)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
URL: <>

More information about the Gnupg-users mailing list