Keyserver access changes in GnuPG

justina colmena justina at colmena.biz
Wed Dec 12 18:05:58 CET 2018


On December 12, 2018 2:35:43 AM AKST, Stefan Claas <stefan.claas at posteo.de> wrote:
>On Wed, 12 Dec 2018 10:15:33 +0100, Wiktor Kwapisiewicz via Gnupg-users
>wrote:
>> Hello all,
>> 
>> I recently saw a message from one of Fedora's maintainers:
>> 
>> > Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1.
>Also dropping keyserver support at Werner's
>> > suggestion since upstream plans to disable that soon.  
>> 
>> Source: https://infosec.exchange/@bcl/101195051788828345
>> 
>> Does anyone know anything about dropping keyserver support in GnuPG?
>That seems
>> a little bit radical but maybe I've missed something...
>
>If so, I see it as a consequent move from past discussions on ML's and
>that Werner shows
>responsibility, while everybody else defended the old system or put
>their head in the sand.
>
>Bravo!
>
>Regards
>Stefan
>
>-- 
>https://www.behance.net/futagoza
>https://keybase.io/stefan_claas


One disadvantage of "keyservers" in general is that the automated queries to them leak "too much information" on the parties with whom one is communicating - even the fact that one is using PGP at all.

One of the original goals of PGP, and later on, GnuPG, was to avoid the reliance on a central point of failure such as a "server." It was to be a most explicitly *decentralized* system.

*Probably nothing wrong* with a keyserver if the key is tied to one's everyday real-life identity, but that is not always the use case of public key cryptography. Not everyone wants his or her phone number, email address, and residence address published in a database accessible to the public.

The big advantage, of course, to the keyservers is that they make it convenient for people to use PGP and GnuPG who might not otherwise bother with encryption at all.

In any case, I am sure that the keyserver support functionality could easily be split off into a separate program if it is being dropped from GnuPG, which to be honest is getting rather bloated and could do well to focus on its core competencies.

Right now the OpenKeychain app on my phone is configured to search OpenPGP keyservers:

hkps://keyserver.ubuntu.com
hkps://hkps.pool.sks-keyservers.net (hkp://jirk5u4osbsr34t5.onion)
hkps://pgp.mit.edu
hkps://keys.fedoraproject.org (which I added because I use Fedora.)

There is also a "keybase.io" and a "Web Key Directory" search. It might seem a bit much, but the general goal here is not "absolute privacy" but to enable the dumb user of a smart phone to make use of PGP encryption.

This whole debate, I seem to recall, took place many, many years ago, and of course different groups have different goals and find different technical solutions for their respective situations.

-- 
A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

https://www.colmena.biz/~justina/justina.colmena.asc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181212/2d3b09d2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 683 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181212/2d3b09d2/attachment.sig>


More information about the Gnupg-users mailing list