On 06/30/2019 01:34 AM, Andrew Gallagher wrote: > >> On 30 Jun 2019, at 09:19, Robert J. Hansen <r...@sixdemonbag.org> wrote: >> >> The next version of Enigmail will no longer use the SKS network by >> default. Great! But what about existing Enigmail users? They'll see a >> signature, click "Import Key", and ... bam. They're likely not going to >> think that someone's performing a malicious attack by poisoning >> certificates: they're going to think "this is crap" and walk away. > > Thankfully there is a practical - if drastic - solution for all OpenPGP users > everywhere. Point pool.sks-keyservers.net (and its various aliases) somewhere > else. The question is where to and how soon. > > A
This is undoubtedly a naive question. But anyway, would it be feasible to test keys by importing them, and seeing which ones break OpenPGP? Maybe do it in minimal Docker containers? And then somehow block access to those keys? Or is blocking just as impossible as deleting? I know that wouldn't help people whose keys had been poisoned. But at least it would help protect complex systems that rely on OpenPGP. And if resource requirements would be impossible, what about focusing on the most important keys? For key packages, say. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
