>> But that's the main primary reason of the article at all. The fact >> that anyone can upload _every_ key to a keyserver is an issue. If > > No, it is not, it has always been very clear no to rely on the > existence of a key on either a keyserver or on a local keyring without > proper verification and certification So what exactly is the purpose of the keyserver then ? If you expect me to still verify fingerprints out of band, why would I grab a - probably bogus key - from a keyserver first place ? I could immediately ask my peer to send it by mail.
The keyserver would make sense, if my mail client would automatically fetch the public key from a server, based on the e-mail address of the sender and some identity data (e.g. fingerprint) in the mail signature. It would them prompt me, if I want to add that key to my keyring and optionally perform some additional out-of-band checks. Because normally I exchange keys in the context of establishing a relationship with the sender of the e-mail. The context (mail arrived expectedly, had a phone call just before, answers my request) allows to me to make a cautious decision about the level of trust I have in the key. I have been using GNUPG for ages now, but I verified fingerprints only a hand-full of time. Most of the time, I ask my peer for his public key and wait for the mail to arrive. For me web-of-trust and key signing parties don't make any sense, because I'd rather start a communication with a bogus key and establish trust in my genuine peer from the conversation we are having. I like the way Threema does it: I can immediately start a secure communication and if I need I can elevate the trust I have in the key. But most of the time I'm communicating with people I know anyway. -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users