<html><head></head><body><div class="gmail_quote">On December 12, 2018 2:35:43 AM AKST, Stefan Claas <stefan.claas@posteo.de> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">On Wed, 12 Dec 2018 10:15:33 +0100, Wiktor Kwapisiewicz via Gnupg-users wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">Hello all,<br><br>I recently saw a message from one of Fedora's maintainers:<br><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;">Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also dropping keyserver support at Werner's<br>suggestion since upstream plans to disable that soon. <br></blockquote><br>Source: <a href="https://infosec.exchange/@bcl/101195051788828345">https://infosec.exchange/@bcl/101195051788828345</a><br><br>Does anyone know anything about dropping keyserver support in GnuPG? That seems<br>a little bit radical but maybe I've missed something...<br></blockquote><br>If so, I see it as a consequent move from past discussions on ML's and that Werner shows<br>responsibility, while everybody else defended the old system or put their head in the sand.<br><br>Bravo!<br><br>Regards<br>Stefan<br></pre></blockquote></div><br clear="all"><br>One disadvantage of "keyservers" in general is that the automated queries to them leak "too much information" on the parties with whom one is communicating - even the fact that one is using PGP at all.<br><br>One of the original goals of PGP, and later on, GnuPG, was to avoid the reliance on a central point of failure such as a "server." It was to be a most explicitly *decentralized* system.<br><br>*Probably nothing wrong* with a keyserver if the key is tied to one's everyday real-life identity, but that is not always the use case of public key cryptography. Not everyone wants his or her phone number, email address, and residence address published in a database accessible to the public.<br><br>The big advantage, of course, to the keyservers is that they make it convenient for people to use PGP and GnuPG who might not otherwise bother with encryption at all.<br><br>In any case, I am sure that the keyserver support functionality could easily be split off into a separate program if it is being dropped from GnuPG, which to be honest is getting rather bloated and could do well to focus on its core competencies.<br><br>Right now the OpenKeychain app on my phone is configured to search OpenPGP keyservers:<br><br>hkps://keyserver.ubuntu.com<br>hkps://hkps.pool.sks-keyservers.net (hkp://jirk5u4osbsr34t5.onion)<br>hkps://pgp.mit.edu<br>hkps://keys.fedoraproject.org (which I added because I use Fedora.)<br><br>There is also a "keybase.io" and a "Web Key Directory" search. It might seem a bit much, but the general goal here is not "absolute privacy" but to enable the dumb user of a smart phone to make use of PGP encryption.<br><br>This whole debate, I seem to recall, took place many, many years ago, and of course different groups have different goals and find different technical solutions for their respective situations.<br><br>-- <br>A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.<br><br><a href="https://www.colmena.biz/~justina/justina.colmena.asc">https://www.colmena.biz/~justina/justina.colmena.asc</a></body></html>