On Fri, 2019-06-14 at 10:12 +0200, Oscar Carlsson via Gnupg-users wrote: > I'm generally curious on your opinions on the latest new keyserver, this > time running a new software than the normal keyservers. > > They seem to have a different model which minimize the amount of > information available, to be compliant with GDPR and friends. Do you > think there are any downsides to this? >
Others have already somewhat pointed this out but I believe it hasn't been emphasized enough: in my opinion, stripping third-party signatures entirely is a no-go. I'd go ever as far as to say this key server is harmful to OpenPGP users, and defeats the purpose of using OpenPGP. I agree that WoT is nowhere near perfect, and that it is confusing to a lot of simple users. However, it's the best solution for validating keys that we have right now. With keys.openpgp.org implicitly stripping third-party signatures on one hand, and explicitly requiring e-mail verification on the other, it effectively shifts the security model into trusting e-mail verification done by the server software. I'm not saying that people running the server encourage that in any way. I'm saying that it's going to happen to a larger degree than before because users will be making the wrong assumptions. In other words, if users see that the particular key will be associated with the e-mail address only once that address is verified, some of them will also assume that if the e-mail address is present, then it is reliably confirmed. -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users