FAQ: seeking consensus
sac at 300baud.de
Fri Oct 18 13:27:48 CEST 2019
Vincent Breitmoser wrote:
> > It would be nice if you can add to the keyserver list also the
> > mailvelope.com keyserver,
> I concur keys.mailvelope.com is a fine keyserver today. However, you might
> want to consider:
> > because it requires users to authenticate their keys against the keyserver
> > with an received encrypted email
> An "encrypted" verification email in no way, shape or form "authenticates"
> a key any more than an unencrypted email. It may seem like it should at first
> glance, but it really doesn't if you think through the attack scenarios.
Well, at least than it is an additional protection layer, which is nice to have.
> > and it also allows keeping third party signatures, compared to Hagrid.
> This property also makes it susceptible to flooding attacks, and Mailvelope
> doesn't make use of third party sigs itself.
I think they changed it a while ago. Before one could submit keys, once
they were already on the keyserver. Now it requires again a comformation
And it is true while you can't sign keys with Mailvelope the Key Manager
however shows them.
> I talked to Thomas (from Mailvelope) the other day, and he said he would
> either want to make their implementation more abuse resistant (which I assume
> means dropping third party sigs as well), or decommissioning it altogether in
> favor of Hagrid.
I think that the Mailvelope keyserver is a nice for people who are in need of
CA or classic WoT signatures. So they should IMHO keep it.
certified OpenPGP key blocks available on keybase.io/stefan_claas
More information about the Gnupg-users