On 01/16/2018 06:19 PM, Leo Gaspard wrote: > Also, there are flaws with this approach (like after a private key > compromise, it would allow to prevent dissemination of the revocation > certificate) [1], but fixes like allowing the statement to be “on > 2018-04-01, please expose only the master key and its revocation > certificate(s) to clients” would likely handle this particular issue. > > All I'm saying is that a system like this one is not a silver bullet > solution, but may handle a few of the current complaints against the SKS > network?
Not really (and that is ignoring disagreement with the complaints to begin with). One issue with the first statement "please allow to be on keyserver" is that it doesn't provide any verification that the email in UID (or just the name) is accurate, so most of the complains regarding occurrence of multiple matches for a search would not be honored, as you could anyways create multiple keyblocks with this property. To answer that request for feature, you need to make the keyserver a de-facto CA instead of separating the roles, and performing some ID verification at upload point, for email this might be a simple robot-signing, but email addresses changes over time, and a key might be relevant even after changing email providers to verify historical signatures etc. But for OpenPGP this isn't an issue to begin with. No keyblock should be used without first verifying the material, which historically is mostly done through fingerprint exchanges / key signing parties. If wanting to introduce a CA in the system, nothing is stopping you, and you will find some discussion on robo-signers etc e.g at [0], but it doesn't require any changes on the keyserver side, exactly because that is just a data store and distribution point without any other responsibility. Obviously the same goes for a TOFU model and WKD, which still can use the keyserver network as distribution point for updates of expirations/revocations/etc... References: [0] https://wiki.gnupg.org/OpenPGPEmailSummit201512/EmailValidation?action=AttachFile&do=get&target=EmailValidation20151207.pdf -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Aut dosce, aut disce, aut discede Either teach, or study, or leave
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users