Re: Garbled data in keyservers

[justina colmena via Gnupg-users]

On December 9, 2018 11:17:34 AM AKST, Stefan Claas  
wrote:
>On Sun, 9 Dec 2018 21:11:12 +0100, Juergen Bruckner wrote:
>> Am 09.12.18 um 18:24 schrieb Dirk Gottschalk via Gnupg-users:
>> > And further, why should anyone run something like a ca CA for free.
>> > Sure, CAcert does it. But that's the onlöy organisation I know who
>> > does this.  
>> 
>> Also WPIA [1] plans to do this and started a audit process for their
>> CA.
>> 
>> regards
>> Juergen
>> 
>> [1] https://wpia.club
>
>Very cool Juergen! 
>
>Regards
>Stefan
>
>-- 
>https://www.behance.net/futagoza
>https://keybase.io/stefan_claas


What was that German company, StartSSL or something, that offered free certs 
for a while, big on S/MIME, (almost deprecated PGP/GPG,) and personal client 
certificates on the browser, that sort of thing?

Then there was a big kerfuffle because the Chinese allegedly bought them out.

Then EFF / certbot / letsencrypt started offering them. It's a "gentleman's 
agreement" of sorts. One and only one CA will offer "free" certs, and they're 
"well-known," basically for development and not for e-commerce.

I'm rather upset with EFF at the moment, by the way. They're always pushing 
"adult content" like a bunch of porno addicts and they have acquired almost a 
Salesforce- or SAP-like CRM system in their back office, collecting lot of 
personal information on political dissidents and precisely the privacy-minded 
individuals who would rather not have such possibly derogatory information 
collected about them.
-- 
A well regulated Militia, being necessary to the security of a free State, the 
right of the people to keep and bear Arms, shall not be infringed.

https://www.colmena.biz/~justina/justina.colmena.asc

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hi Stefan.

Am Sonntag, den 09.12.2018, 21:13 +0100 schrieb Stefan Claas:
> On Sun, 09 Dec 2018 20:55:36 +0100, Dirk Gottschalk wrote:
> 
> Hello Dirk,
> 
> > That I mentioned in the other reply I have sent a few seconds ago.
> > 
> > > right? A key which would bear a CA sig would imho not have such
> > > additional and funny UID's or sigs, because it would make the key
> > > owner look a bit stupid, i would say.  
> > 
> > No. The signatures on a key are nor related to each other. A funni
> > signature could be backdated before the signature by the CA were
> > made.
> > Who's the stupid now, in the eyes of the user seeing this? ^^
> 
> Do you really think a user with a CA sig would do that, with my
> proposals i have made?

Yes, for sure. With a backdated signature the CA could be blamed in the
eyes of some not so firm users. Even if it's only for this purpose.

First the UID problem should be fixed and then a similar mechanism for
the signatures could be introduces. This would fix the well known
problems and no CA would be needed. That is unrelated to the CA's for
"assurance" which are not a really bad idea, but it has nothing to do
with the flaws in the key servers and even wouÄt be a fix for this.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Stefan Claas]

On Sun, 9 Dec 2018 21:11:12 +0100, Juergen Bruckner wrote:
> Am 09.12.18 um 18:24 schrieb Dirk Gottschalk via Gnupg-users:
> > And further, why should anyone run something like a ca CA for free.
> > Sure, CAcert does it. But that's the onlöy organisation I know who
> > does this.  
> 
> Also WPIA [1] plans to do this and started a audit process for their
> CA.
> 
> regards
> Juergen
> 
> [1] https://wpia.club

Very cool Juergen! 

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgp6pxZYqTVvQ.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Stefan Claas]

On Sun, 09 Dec 2018 20:55:36 +0100, Dirk Gottschalk wrote:

Hello Dirk,

> That I mentioned in the other reply I have sent a few seconds ago.
> 
> > right? A key which would bear a CA sig would imho not have such
> > additional and funny UID's or sigs, because it would make the key
> > owner look a bit stupid, i would say.  
> 
> No. The signatures on a key are nor related to each other. A funni
> signature could be backdated before the signature by the CA were made.
> Who's the stupid now, in the eyes of the user seeing this? ^^

Do you really think a user with a CA sig would do that, with my
proposals i have made?

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpkpHR6TFiSG.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Juergen Bruckner]

Am 09.12.18 um 18:24 schrieb Dirk Gottschalk via Gnupg-users:
> And further, why should anyone run something like a ca CA for free.
> Sure, CAcert does it. But that's the onlöy organisation I know who does
> this.

Also WPIA [1] plans to do this and started a audit process for their CA.

regards
Juergen

[1] https://wpia.club
-- 
Juergen Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Stefan Claas]

On Sun, 09 Dec 2018 20:34:55 +0100, Dirk Gottschalk wrote:
> Am Sonntag, den 09.12.2018, 20:03 +0100 schrieb Stefan Claas:

Hi Dirk,

> A weekend job... Muhahahahahahaha, you don't do much programming,
> don't you? One would have to write an email bot, change the keyserver
> code to no longer accept submissions via HKP, then it would be
> neccessary do disable HKP for upload in GnuPG to avoid broken Clients
> and so on.

Mind you in the 90's PGP key servers accepted also email and Usenet
submissions, if i remember correctly. The keyword was then simple
the word "add" in the subject line of an email.



> > People can then still use the old key servers (until they may become
> > obsolete...) or use keybase.  
> 
> Keybase is an option, yes., And the Keyservers could be fixed. HKP for
> retrieval is very comfortable and there is no need to disable also the
> retrieval.

The retrieval is of course good and it did not say something about it. 

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpZKviWys3gW.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Wiktor Kwapisiewicz via Gnupg-users]

On 09.12.2018 20:03, Stefan Claas wrote:
> To bad that Werner's WKD is not widely adopted from email
> service providers...

Just for the record but it is adopted by e-mail service providers that are
interested in OpenPGP (like ProtonMail and Posteo.de, see
https://wiki.gnupg.org/WKD).

As for "e-mail service providers" like Gmail or Yahoo that obviously is not
going to happen (unless one uses Google Suite with custom domain, etc.)

Kind regards,

Wiktor

-- 
https://metacode.biz/@wiktor


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Sonntag, den 09.12.2018, 19:38 +0100 schrieb Stefan Claas:
> On Sun, 09 Dec 2018 08:23:03 -0900, justina colmena via Gnupg-users
> wrote:
> > On December 9, 2018 7:54:01 AM EST, Stefan Claas
> >  wrote::
> > > Get a sig from a CA and then upload your key via email.
> > >  
> > That's a bit steep, and was never the original goal of PGP or GPG.

> No, in 2018 i think it is not. CA's can be run by non-profit
> organizations like EFF etc., which i believe a lot of people trust.

> Then don't forget all the worldwide assurers from CAcert.org.

> > If the goal is to eliminate the bulk of bad keys and junk from key
> > servers, an account creation with basic email verification for
> > adding or removing keys should suffice.

> I don't think so. Create an anon account at ProtonMail via Tor for
> example and then do "funny stuff" with those keys.

There is always a way to abuse things. And a plausibility check on UIDs
would remove the possibility for abusive data encoding in these. I
think that would be a starting point.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fw: Garbled data in keyservers

[Stefan Claas]

Beginn der weitergeleiteten Nachricht:

Datum: Sun, 9 Dec 2018 20:35:41 +0100
Von: Stefan Claas 
An: Dirk Gottschalk 
Betreff: Re: Garbled data in keyservers


On Sun, 09 Dec 2018 20:26:21 +0100, Dirk Gottschalk wrote:

Hi Dirk,

> > I don't think so. Create an anon account at ProtonMail via Tor for
> > example and then do "funny stuff" with those keys.
> 
> Nah, the server code has just to be modified, then a plausibility
> check could be established if the UID is a valid one, or an abusive.
> This would disable abusive UIDs with malicious data.  

Well, if one creates a valid UID for ProtonMail, for example, the
the Server needs then also to check additional UID's or "funny" sigs,
right? A key which would bear a CA sig would imho not have such
additional and funny UID's or sigs, because it would make the key owner
look a bit stupid, i would say.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpgfPnA5EOsp.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Am Sonntag, den 09.12.2018, 20:03 +0100 schrieb Stefan Claas:
> On Sun, 9 Dec 2018 19:38:31 +0100, Stefan Claas wrote:
> > On Sun, 09 Dec 2018 08:23:03 -0900, justina colmena via Gnupg-users
> > wrote:
> > > On December 9, 2018 7:54:01 AM EST, Stefan Claas
> > >  wrote::  
> > > > Get a sig from a CA and then upload your key via email.
> > > >
> > > That's a bit steep, and was never the original goal of PGP or
> > > GPG.  

> > No, in 2018 i think it is not. CA's can be run by non-profit
> > organizations like EFF etc., which i believe a lot of people trust.

> > Then don't forget all the worldwide assurers from CAcert.org.

> > > If the goal is to eliminate the bulk of bad keys and junk from
> > > key
> > > servers, an account creation with basic email verification for
> > > adding or removing keys should suffice.  

> > I don't think so. Create an anon account at ProtonMail via Tor for
> > example and then do "funny stuff" with those keys.

> My proposal could be run also in parallel. I think it would be
> only a weekend job for a programmer to modify the server code,
> so that it accepts only incoming and verified email and not web
> or GnuPG via Tor submissions.

That's also what GPG is made for. Privacy. So TOR usage is quite okay.
The Idea with an email bot instead of a HKP for upload is something
that could be taken into consideration to validate sender and key, I
agree.

A weekend job... Muhahahahahahaha, you don't do much programming, don't
you? One would have to write an email bot, change the keyserver code to
no longer accept submissions via HKP, then it would be neccessary do
disable HKP for upload in GnuPG to avoid broken Clients and so on.

> People can then still use the old key servers (until they may become
> obsolete...) or use keybase.

Keybase is an option, yes., And the Keyservers could be fixed. HKP for
retrieval is very comfortable and there is no need to disable also the
retrieval.

> To bad that Werner's WKD is not widely adopted from email
> service providers...

WKD is a good thing, but has not yet widely spread. I think one oif the
problems is the small amount of users demanding it.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hi Stefan.

Am Sonntag, den 09.12.2018, 19:38 +0100 schrieb Stefan Claas:
> On Sun, 09 Dec 2018 08:23:03 -0900, justina colmena via Gnupg-users
> wrote:
> > On December 9, 2018 7:54:01 AM EST, Stefan Claas
> >  wrote::
> > > Get a sig from a CA and then upload your key via email.
> > >  
> > That's a bit steep, and was never the original goal of PGP or GPG.

> No, in 2018 i think it is not. CA's can be run by non-profit
> organizations like EFF etc., which i believe a lot of people trust.

> Then don't forget all the worldwide assurers from CAcert.org.
> 
> > If the goal is to eliminate the bulk of bad keys and junk from key
> > servers, an account creation with basic email verification for
> > adding
> > or removing keys should suffice.

> I don't think so. Create an anon account at ProtonMail via Tor for
> example and then do "funny stuff" with those keys.

Nah, the server code has just to be modified, then a plausibility check
could be established if the UID is a valid one, or an abusive. This
would disable abusive UIDs with malicious data.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Am Sonntag, den 09.12.2018, 19:54 +0100 schrieb Stefan Claas:
> On Sun, 9 Dec 2018 19:51:37 +0100, Stefan Claas wrote:
> > On Sun, 09 Dec 2018 18:24:38 +0100, Dirk Gottschalk wrote:
>  
> Hi Dirk,
> > > Get a sig from a CA and then upload your key via email.
> > > Then the key servers do something like a gpg --check-sigs
> > > to see if a key bears a valid CA sig and if it is found in their
> > > index the key will be added to the network, once the submitted
> > > UID matches with the email address header. So no cryptographic
> > > verification is imho needed. This would also eliminate, i think,
> > > > that someone else can upload someone else's pub key.
> > > 
> > > And who decides which CA ist trustworthy and which is not? The
> > > problem ist, like in the X.509 land, that it depends on an
> > > initial
> > > trust to one or more central authorities. Who decides whom one
> > > can
> > > trust.  

> If trusted organizations like EFF etc. would run a CA...

> > > And further, why should anyone run something like a ca CA for
> > > free.  
 
> Nobody said that it should be free.

That's a point one would have to discuss. A small one time fee would be
okay, but not to much, ore we are at the same point like in X.509 land
and nobody wants to invest, except for real good reasons.


> > > And then again the question, who decides who get's the nedded
> > > trust?  

> I have learned in the past the phrase "trust nobody" when it comes
> to IoT. That means also I don't have to trust GnuPG users, for
> example... ;-)

Exactly this is the point where the key signatures get in place. You
can decide whom you trust, or not, and how far your trust goes.
Than you can see, if somebody you don't know yet is trusted by a user
you trust. Then the trustdb comes into place. Exactly this is how PGP
works. PGP is not a replacement for the X.509 infrastructure like it is
used in companies or other organizations. And even there often PGP is
enough, at least for Email signature or encryption.

I'm still not sure what you're trying to achieve. A Replacement for
X.509?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Stefan Claas]

On Sun, 9 Dec 2018 19:38:31 +0100, Stefan Claas wrote:
> On Sun, 09 Dec 2018 08:23:03 -0900, justina colmena via Gnupg-users
> wrote:
> > On December 9, 2018 7:54:01 AM EST, Stefan Claas
> >  wrote::  
> > >
> > >Get a sig from a CA and then upload your key via email.
> > >
> > That's a bit steep, and was never the original goal of PGP or GPG.  
> 
> No, in 2018 i think it is not. CA's can be run by non-profit
> organizations like EFF etc., which i believe a lot of people trust.
> 
> Then don't forget all the worldwide assurers from CAcert.org.
> 
> > If the goal is to eliminate the bulk of bad keys and junk from key
> > servers, an account creation with basic email verification for
> > adding or removing keys should suffice.  
> 
> I don't think so. Create an anon account at ProtonMail via Tor for
> example and then do "funny stuff" with those keys.

My proposal could be run also in parallel. I think it would be
only a weekend job for a programmer to modify the server code,
so that it accepts only incoming and verified email and not web
or GnuPG via Tor submissions.

People can then still use the old key servers (until they may become
obsolete...) or use keybase.

To bad that Werner's WKD is not widely adopted from email
service providers...

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Stefan Claas]

On Sun, 9 Dec 2018 19:51:37 +0100, Stefan Claas wrote:
> On Sun, 09 Dec 2018 18:24:38 +0100, Dirk Gottschalk wrote:
 
Hi Dirk,
> 
> > Get a sig from a CA and then upload your key via email.
> > Then the key servers do something like a gpg --check-sigs
> > to see if a key bears a valid CA sig and if it is found in their
> > index the key will be added to the network, once the submitted
> > UID matches with the email address header. So no cryptographic
> > verification is imho needed. This would also eliminate, i think,
> > > that someone else can upload someone else's pub key.
> > 
> > And who decides which CA ist trustworthy and which is not? The
> > problem ist, like in the X.509 land, that it depends on an initial
> > trust to one or more central authorities. Who decides whom one can
> > trust.  

If trusted organizations like EFF etc. would run a CA...

> > And further, why should anyone run something like a ca CA for
> > free.  
 
Nobody said that it should be free.

> > And then again the question, who decides who get's the nedded
> > trust?  

I have learned in the past the phrase "trust nobody" when it comes
to IoT. That means also I don't have to trust GnuPG users, for
example... ;-)

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpg3JPGCayJz.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Stefan Claas]

On Sun, 09 Dec 2018 08:23:03 -0900, justina colmena via Gnupg-users
wrote:
> On December 9, 2018 7:54:01 AM EST, Stefan Claas
>  wrote::
> >
> >Get a sig from a CA and then upload your key via email.
> >  
> That's a bit steep, and was never the original goal of PGP or GPG.

No, in 2018 i think it is not. CA's can be run by non-profit
organizations like EFF etc., which i believe a lot of people trust.

Then don't forget all the worldwide assurers from CAcert.org.

> If the goal is to eliminate the bulk of bad keys and junk from key
> servers, an account creation with basic email verification for adding
> or removing keys should suffice.

I don't think so. Create an anon account at ProtonMail via Tor for
example and then do "funny stuff" with those keys.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hello Justina

Am Sonntag, den 09.12.2018, 08:23 -0900 schrieb justina colmena via
Gnupg-users:
> On December 9, 2018 7:54:01 AM EST, Stefan Claas <
> stefan.cl...@posteo.de> wrote::
> > Get a sig from a CA and then upload your key via email.
> > 
> That's a bit steep, and was never the original goal of PGP or GPG.

Correct.


> If the goal is to eliminate the bulk of bad keys and junk from key
> servers, an account creation with basic email verification for adding
> or removing keys should suffice.

That's something I thought about, too.


> Let's be honest: no one really wants an infrastructure of legally
> valid or enforceable GPG signatures, either. It's a technical
> verification that something is very unlikely to be altered if the
> signature is valid. Any particular overriding legal significance
> beyond that is unnecessary.

Legal significcance is one point and it's to complicated in many
countries.


> Don't overdo it, please. PGP key servers are not supposed to be
> "authoritative." They are a convenience to extend an informal web of
> trust. Let's resist that German urge toward authoritarianism and
> absolutism, shall we?

Yeah, RIGHT! As a German I say, this urge in Germany and even in Europe
is totally silly at all. They are making an A 380 out of a duck, so to
say. Or like we call it in germany: "eine Mücke zu einem Elefanten
machen".


> Bosses and bullies do not help with privacy, personal digital
> signatures, or cryptography for personal use. The CA stuff is mostly
> for business, not personal. The adversaries in that case are
> pickpockets and credit card skimmers, not major governments and
> political enemies.

Right, but, to be honest, in some cases a GPG signature should be even
enough to prove the origin in a legal way. Some countries accept this
already, but not in silly old europe. Okay, EU sucks, but that's
another topic.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Sonntag, den 09.12.2018, 13:54 +0100 schrieb Stefan Claas:
> On Thu, 06 Dec 2018 15:22:14 +0100, Werner Koch wrote:
> 
> > > That's right, but my thought is / was someone can (ab)use key
> > > servers as data storage / retrieval system and then only provides
> > > the key id  
> > 
> > As it has been commeted, there are easier ways to do that.

> I have read also the threads at sks devel ML and my suggestions
> would be that we need more international CA's to get rid of all
> the problems, the key server network has.

> People should think about the following:

> Get a sig from a CA and then upload your key via email.
> Then the key servers do something like a gpg --check-sigs
> to see if a key bears a valid CA sig and if it is found in their
> index the key will be added to the network, once the submitted
> UID matches with the email address header. So no cryptographic
> verification is imho needed. This would also eliminate, i think,
> that someone else can upload someone else's pub key.

And who decides which CA ist trustworthy and which is not? The problem
ist, like in the X.509 land, that it depends on an initial trust to one
or more central authorities. Who decides whom one can trust.

And further, why should anyone run something like a ca CA for free.
Sure, CAcert does it. But that's the onlöy organisation I know who does
this.

And then again the question, who decides who get's the nedded trust?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[justina colmena via Gnupg-users]

On December 9, 2018 7:54:01 AM EST, Stefan Claas  
wrote::
>
>Get a sig from a CA and then upload your key via email.
>
That's a bit steep, and was never the original goal of PGP or GPG.

If the goal is to eliminate the bulk of bad keys and junk from key servers, an 
account creation with basic email verification for adding or removing keys 
should suffice.

Let's be honest: no one really wants an infrastructure of legally valid or 
enforceable GPG signatures, either. It's a technical verification that 
something is very unlikely to be altered if the signature is valid. Any 
particular overriding legal significance beyond that is unnecessary.

Don't overdo it, please. PGP key servers are not supposed to be 
"authoritative." They are a convenience to extend an informal web of trust. 
Let's resist that German urge toward authoritarianism and absolutism, shall we?

Bosses and bullies do not help with privacy, personal digital signatures, or 
cryptography for personal use. The CA stuff is mostly for business, not 
personal. The adversaries in that case are pickpockets and credit card 
skimmers, not major governments and political enemies.

-- 
A well regulated Militia, being necessary to the security of a free State, the 
right of the people to keep and bear Arms, shall not be infringed.

https://www.colmena.biz/~justina/justina.colmena.asc

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Stefan Claas]

On Thu, 06 Dec 2018 15:22:14 +0100, Werner Koch wrote:

> > That's right, but my thought is / was someone can (ab)use key
> > servers as data storage / retrieval system and then only provides
> > the key id  
> 
> As it has been commeted, there are easier ways to do that.

I have read also the threads at sks devel ML and my suggestions
would be that we need more international CA's to get rid of all
the problems, the key server network has.

People should think about the following:

Get a sig from a CA and then upload your key via email.
Then the key servers do something like a gpg --check-sigs
to see if a key bears a valid CA sig and if it is found in their
index the key will be added to the network, once the submitted
UID matches with the email address header. So no cryptographic
verification is imho needed. This would also eliminate, i think,
that someone else can upload someone else's pub key.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpTpHQdhDMRZ.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users