New keyserver at keys.openpgp.org - what's your take?
mgorny at gentoo.org
Tue Jul 2 14:32:26 CEST 2019
On Fri, 2019-06-14 at 10:12 +0200, Oscar Carlsson via Gnupg-users wrote:
> I'm generally curious on your opinions on the latest new keyserver, this
> time running a new software than the normal keyservers.
> They seem to have a different model which minimize the amount of
> information available, to be compliant with GDPR and friends. Do you
> think there are any downsides to this?
Others have already somewhat pointed this out but I believe it hasn't
been emphasized enough: in my opinion, stripping third-party signatures
entirely is a no-go. I'd go ever as far as to say this key server is
harmful to OpenPGP users, and defeats the purpose of using OpenPGP.
I agree that WoT is nowhere near perfect, and that it is confusing to
a lot of simple users. However, it's the best solution for validating
keys that we have right now. With keys.openpgp.org implicitly stripping
third-party signatures on one hand, and explicitly requiring e-mail
verification on the other, it effectively shifts the security model into
trusting e-mail verification done by the server software.
I'm not saying that people running the server encourage that in any way.
I'm saying that it's going to happen to a larger degree than before
because users will be making the wrong assumptions. In other words, if
users see that the particular key will be associated with the e-mail
address only once that address is verified, some of them will also
assume that if the e-mail address is present, then it is reliably
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 618 bytes
Desc: This is a digitally signed message part
More information about the Gnupg-users