> I haven't looked at the links yet, but what is your purpose? Do you want > to detect rogue keyservers in the keyserver network, or perhaps attacks > on keyservers?
Essentially I'm looking to see if it's possible to make a secure directory service, for some definition of secure, even against persistent attackers. > There is no need to trust keyservers in the Web of Trust, or even in > TOFU (as I assume in the latter you got a signed message from the other > to start things off, and the wrong key would not verify the message). > Still, it could be interesting to see if the keyserver network is > somehow messed with, I suppose. The idea is to see whether we can make something with security between the WoT and "download a random key and see what happens" that doesn't require user intervention. Whether this would be too burdensome remains to be seen. Essentially, if you look up your email address regularly on the major keyservers, you can see whether people emailing you out of the blue will get the right key. But whoever is controlling it could send you the true key and a fake one to everyone else. This is a way to overcome that. If you use e.g. Signal, you can encrypt from the first message; I want to see if that kind of user experience is possible with email, despite the lack of what I guess you might term biometric authentication. Thanks, Lachlan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users