FAQ: seeking consensus
Vincent Breitmoser
look at my.amazin.horse
Fri Oct 18 12:24:43 CEST 2019
> It would be nice if you can add to the keyserver list also the
> mailvelope.com keyserver,
I concur keys.mailvelope.com is a fine keyserver today. However, you might want
to consider:
> because it requires users to authenticate their keys against the keyserver
> with an received encrypted email
An "encrypted" verification email in no way, shape or form "authenticates"
a key any more than an unencrypted email. It may seem like it should at first
glance, but it really doesn't if you think through the attack scenarios.
> and it also allows keeping third party signatures, compared to Hagrid.
This property also makes it susceptible to flooding attacks, and Mailvelope
doesn't make use of third party sigs itself.
I talked to Thomas (from Mailvelope) the other day, and he said he would either
want to make their implementation more abuse resistant (which I assume means
dropping third party sigs as well), or decommissioning it altogether in favor of
Hagrid.
Cheers
- V
More information about the Gnupg-users
mailing list