x488 vs all other : keyid flip

Andrew Gallagher andrewg at andrewg.com
Wed Apr 3 12:51:11 CEST 2024


On 3 Apr 2024, at 10:32, Werner Koch <wk at gnupg.org> wrote:
> 
> On Tue,  2 Apr 2024 18:53, Andrew Gallagher said:
> 
>> technical challenge since no modern software supports them, and gnupg1
>> doesn’t implement --list-packets :-) But I have to admit they do
> 
> Sure it has the --list-packets command.  This command dates back to the
> very first release.

Please ignore my above remark; PEBKAC :facepalm:

> Given that Ubuntu's Hockeypuck is the default keyserver for GnuPG for
> most people (i.e. on Windows) it would be good if it continues to
> support at least the default keys.  Whether X448 or the forthcominng
> Kyber subkeys are relevant for keyservers is a different questions.

I don’t see why a new algorithm would be fundamentally different from existing ones from a keyserver point of view. I would hope that they could be supported seamlessly.

> FWIW, I have severe doubts on the usefulness of public keyservers given
> the DoS problems for users and the wrong - but real - assumption of
> users that keys from a keyserver are trustworthy.  Sending keys with an
> initial mail is a better way; keyserver should be used only to provide
> subkey updates and revocations - no search by user id.

I agree that keyservers are not ideal for userid search - unfortunately we haven’t collectively settled on an alternative yet. Sending initial keys with every email may not be the best solution for large key material such as Kyber, although one could imagine a two-step process such as looking up the signing key of a signed mail via a keyserver. And trust calculations would still be an issue of course; TOFU protects against a passive eavesdropper but doesn’t do much against an active MITM… there’s a lot of work still to be done to improve the UX of mutual verification.

> I don't care about the IETF OpenPGP WG^Committee anymore.

Like it or not, we have to find some way to tolerate each other’s existence. And petty name-calling doesn’t help.

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240403/f7be2a0b/attachment.sig>


More information about the Gnupg-users mailing list