New keyserver at keys.openpgp.org - what's your take?

Andrew Gallagher andrewg at andrewg.com
Sun Jun 16 15:00:10 CEST 2019


> On 15 Jun 2019, at 22:41, Vincent Breitmoser <look at my.amazin.horse> wrote:
> 
> 
>> For a start, it only supports email userids - so it is incompatible with
>> monkeysphere.
> 
> Indeed! This is a use case that would be interesting to explore though, feel
> free to open an issue on our tracker if you want to help think it through!

I will when I get back to a desktop, thanks. My first thought would be to use domain verification, as in ACME. No point reinventing the wheel.

>> It's also a centralised resource, meaning it's not resilient enough for
>> distributing revocations, which is the main use case for SKS these days
> 
> Is "resilient" really a word you would use to describe SKS these days? Are you
> aware of issues like this?:

I’m well aware of the limitations of SKS. I spammed the SKS list last year re modifying the reconciliation algorithm to prevent transmission of problematic key packets (tl;dr: it’s harder than it looks). My main concern has always been how to reliably distribute revocations; this is a Very Hard problem that other PKIs have also struggled with, and the “optimum” solution is heavily dependent on your threat model. But even so, SKS worked really well up until relatively recently. 

A



More information about the Gnupg-users mailing list