Hello, Sorry to bring this thread back from the dead, but now that I have a preprint out I can elaborate a bit more on my motivations for this previous discussion.
I've spent a little bit of time investigating the use of Tor to create
an interactive protocol for auditing keyservers, the idea being that if
Tor works well and is properly configured and used, a keyserver can't
tell who is who when two requests come in simultaneously.
The idea is that you continuously make requests, perhaps a few times an
hour, for your own key. Then, when you want to verify someone else's
key, you do the same thing for a certain number of requests, make sure
the responses are all the same, and then wait for a bit to make sure
that the other party hasn't reported receiving different several
different keys.
This is obviously fairly simplified---you probably want to verify a
Merkle tree rather than an individual key, you need some way for a
person to publicly report failures, a reliable and correctable way of
selecting a key from the search results, etc. The paper and prototype
are here if anyone is interested.
http://arxiv.org/abs/1602.03316
https://github.com/LachlanGunn/keywatch
Apologies if this is too far offtopic, but since it's PGP-related and
explains my previous cryptic questions about selecting keys, I thought
someone perhaps might be interested, even if only for some closure. I'd
certainly appreciate any thoughts that anyone might have.
Thanks,
Lachlan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
