Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Tue Jan 16 18:33:19 CET 2018

On 01/16/2018 06:19 PM, Leo Gaspard wrote:
> Also, there are flaws with this approach (like after a private key
> compromise, it would allow to prevent dissemination of the revocation
> certificate) [1], but fixes like allowing the statement to be “on
> 2018-04-01, please expose only the master key and its revocation
> certificate(s) to clients” would likely handle this particular issue.
> All I'm saying is that a system like this one is not a silver bullet
> solution, but may handle a few of the current complaints against the SKS
> network?

Not really (and that is ignoring disagreement with the complaints to
begin with).

One issue with the first statement "please allow to be on keyserver" is
that it doesn't provide any verification that the email in UID (or just
the name) is accurate, so most of the complains regarding occurrence of
multiple matches for a search would not be honored, as you could anyways
create multiple keyblocks with this property.

To answer that request for feature, you need to make the keyserver a
de-facto CA instead of separating the roles, and performing some ID
verification at upload point, for email this might be a simple
robot-signing, but email addresses changes over time, and a key might be
relevant even after changing email providers to verify historical
signatures etc.

But for OpenPGP this isn't an issue to begin with. No keyblock should be
used without first verifying the material, which historically is mostly
done through fingerprint exchanges / key signing parties. If wanting to
introduce a CA in the system, nothing is stopping you, and you will find
some discussion on robo-signers etc e.g at [0], but it doesn't require
any changes on the keyserver side, exactly because that is just a data
store and distribution point without any other responsibility.

Obviously the same goes for a TOFU model and WKD, which still can use
the keyserver network as distribution point for updates of

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Aut dosce, aut disce, aut discede
Either teach, or study, or leave

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180116/9b42a6ef/attachment.sig>

More information about the Gnupg-users mailing list