On Thu, 06 Dec 2018 15:22:14 +0100, Werner Koch wrote: > > That's right, but my thought is / was someone can (ab)use key > > servers as data storage / retrieval system and then only provides > > the key id > > As it has been commeted, there are easier ways to do that.
I have read also the threads at sks devel ML and my suggestions would be that we need more international CA's to get rid of all the problems, the key server network has. People should think about the following: Get a sig from a CA and then upload your key via email. Then the key servers do something like a gpg --check-sigs to see if a key bears a valid CA sig and if it is found in their index the key will be added to the network, once the submitted UID matches with the email address header. So no cryptographic verification is imho needed. This would also eliminate, i think, that someone else can upload someone else's pub key. Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas
pgpTpHQdhDMRZ.pgp
Description: Digitale Signatur von OpenPGP
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
