On 09/26/2017 01:07 PM, Andrew Gallagher wrote: > So SKS should just say "unverified signature from <fingerprint>". It > should not repeat the purported user ID, nor provide a search link that > returns completely unrelated keys that happen to have the same purported ID.
No, that is also wrong, as it implies that anything is trusted unless otherwise stated. A malicious actor can claim it is verified all he/she wants (simply removing the disclaimer). The user's default position NEEDS to be that nothing is verified until it is done locally or by an explicitly trusted third party. Any kind of disclaimer is actually doing the user a dis-service and supporting a subset of the user base that lacks sufficient experience/knowledge to do anything securely to begin with, which is the root cause of the issue; the solution isn't a disclaimer it is more education. Fwiw I don't recommend anyone to directly link to vindex etc on keyservers, you'll notice that https://sks-keyservers.net only links to get operations for similar purposes (if you find a (v)index link it is a bug and you should report it separately), but being able to browse the keyserver directly is too useful for debugging to completely remove. It is a reason it is done on port 11371 for hkp and I would encourage only accessing it through a local client, but other than that it isn't much to do on the keyserver side. But the lesson here is that in order to avoid misuse by an unexperience userbase the protocol has to be a binary obfuscated mess instead of trying to re-use well-established protocols in text form, just in case the user walks into the maze for some reason. -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "If you don't drive your business, you will be driven out of business" (B. C. Forbes)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users