Vincent Breitmoser wrote: > > It would be nice if you can add to the keyserver list also the > > mailvelope.com keyserver, > > I concur keys.mailvelope.com is a fine keyserver today. However, you might > want to consider: > > > because it requires users to authenticate their keys against the keyserver > > with an received encrypted email > > An "encrypted" verification email in no way, shape or form "authenticates" > a key any more than an unencrypted email. It may seem like it should at first > glance, but it really doesn't if you think through the attack scenarios.
Well, at least than it is an additional protection layer, which is nice to have. > > and it also allows keeping third party signatures, compared to Hagrid. > > This property also makes it susceptible to flooding attacks, and Mailvelope > doesn't make use of third party sigs itself. I think they changed it a while ago. Before one could submit keys, once they were already on the keyserver. Now it requires again a comformation email. And it is true while you can't sign keys with Mailvelope the Key Manager however shows them. > I talked to Thomas (from Mailvelope) the other day, and he said he would > either want to make their implementation more abuse resistant (which I assume > means dropping third party sigs as well), or decommissioning it altogether in > favor of Hagrid. I think that the Mailvelope keyserver is a nice for people who are in need of CA or classic WoT signatures. So they should IMHO keep it. Regards Stefan -- box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56 certified OpenPGP key blocks available on keybase.io/stefan_claas _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users