(my) E-mail address not found by 'https://keys.openpgp.org'
Werner Koch
wk at gnupg.org
Thu Mar 17 16:33:35 CET 2022
Hi!
Just for the records
> Oh, I didn't know, I was advised yesterday on another irc channel
> (#debian-facile) to change my key server:
>
> "They were ('keys.gnupg.net' and others) all flooded with fake keys
> mid-2019
You can't talk about fake key on a keyserver. That is not the task of a
keyserver. A keyserver is just a place to store arbitrary keys. The
user needs to make sure whether the key is authentic.
The actual DoS problem was that the keyservers also carry key
signatures. This led to some very large keys (due to arbitrary added
key signature) which took very long for gpg to check. This has
meanwhile been fixed by gpg by not importing 3rd party key-signatures
anymore.
There is actual no way in an system, which on purpose is distributed and
non-controlled - to inhibit the storage of keys. The keyserver protocol
unfortunately has had no specification on how to inhibit the addition of
arbitrary key signatures for example by allowing uploads of new
key-signatures only by data signed by the actual key.
keys.openpgp.net OTOH does away with the concept of a decentralized
system and tries again (like PGP.com and keyserver.org 20 years ago) to
establish a single source for keys. That is not for what PGP and thus
GnuPG where invented. Federation is okay for keyserver, but a central
authority is not desirable.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220317/d730b38a/attachment.sig>
More information about the Gnupg-users
mailing list