Infrastructure support for GnuPG post-quantum keys

Mon Jan 6 09:09:28 CET 2025

Hi!

On Fri,  3 Jan 2025 18:29, have--- said:

> I won’t ambush a volunteer answering support@ for a free keyserver,
> but I will publicly quote my own reply below.  There has been no

The concept of public keyservers is dead.  It worked well in a past
Internet with mostly friendly inhabitants.  But we are not anymore in
the 90ies and DoS is a major concern. There is also the false assumption
of many users that keys from a keyserver are in any way trustworthy.

There is one remaining reason for having a network of synced keyservers:
To distribute revocations.

Lookup of keys by anything other than a fingerprint has no more
justification.  And for that feature a simple distibuted storage for
revocations would be better than the complex keyserver software we have
today.

For initail key discovering (lookup) there are better methods:

- Send the key with your initial may and start to build up trust.
  (after all there must be some reason that you trust a mail address)

- Send the key along with the initial signed message by using the gpg
  option --include-key-block.  This does not even require mail.

- Distribute the key along with your mail address using the Web Key
  directory.

- For key discovery in a managed environment (large organization) use an
  LDAP keyserver.

Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250106/6b462af4/attachment.sig>