Jean Louis <bugs@gnu.support> wrote: > * Dmitry Alexandrov <321...@gmail.com> [2019-10-28 17:53]: >> the SKS keyserver network — the de-facto standard for years — is not >> [proprietary], it is a decentralized replicated network — like Usenet; while >> keys.openpgp.org, to carry on the analogy, is like Facebook. > > Yes, I would say it should be decentralized.
I did not expect any other answer here — at libreplanet-discuss. The question is: what to do? First of all, how to make that clear to those who do not see any danger in the situation — like Werner Koch? > But I see the problem What problem? > and that problem is temporarily solved by that service. In any case, if thatʼs a ‘solution’, I have much better one: cease to use email and PGP, and switch to, say, WhatsApp. >> Maybe. In meantime, SKS is _fully operational_. > > Is it? Yes. Dozens of keyservers are still there and provide all the services they used to provide. > Is the security problem solved? There was no any security problem. There is a performance problem not in SKS but _in GnuPG_, that rendered it unusable for polluted ‘web of trust’. It was ‘solved’ by disabling ‘web of trust’ functional by default. It still can be enabled if you need it and ready to face GnuPGʼs bugs. But most of GnuPGʼs users — including me and you — did not use ‘WoT’ anyway, so there is no any problem for them at all. Please note, the proprietary keyserver does not provide support for ‘WoT’ at all. It also lacks other features of SKS and impose arbitrary restrictions on you: for instance, you are not allowed to specify more that one email address. But these are minor issues compared to the fact, that it is a walled garden specifically designed to collect all the data in a single place and keep it secret. >> FWIW, I got your key from SKS network and have no idea, where else I could. >> You, I suppose, got mine in the same way. > > You would ask person. That is number one. You could find keys on websites, > but in general you ask people. > > Finding key on the server is not essential. To repeat: I found you key on the keyserver, and have no clue where it could find else. In other words, your statement is equivalent to “using encryption is not essential for mail exchange”. Yes, it is not: I could mail you in cleartext and by all means would do that, if had not located your key. > I do not even know did I publish it or not, I do not know. Yes, you did. And thatʼs the _only_ standard way you made it available: $ gpg --auto-key-locate=nodefault,cert,pka,dane,wkd,keyserver --locate-keys bugs@gnu.support gpg: error retrieving 'bugs@gnu.support' via DNS CERT: Not found gpg: error retrieving 'bugs@gnu.support' via PKA: Not found gpg: error retrieving 'bugs@gnu.support' via DANE: Not found gpg: error retrieving 'bugs@gnu.support' via WKD: No data gpg: key 12BC51224B9DC65C: "Jean Louis <bugs@gnu.support>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: automatically retrieved 'bugs@gnu.support' via keyserver pub rsa2048 2016-11-13 [SC] BFDFE35C128B5DF0E21E5F0812BC51224B9DC65C uid [ unknown] Jean Louis <bugs@gnu.support> sub rsa2048 2016-11-13 [E] You do not use Autocrypt either, so itʼs extremely sad, that you did that unintentionally. I wish PGP to gain more adoption. But thatʼs entirely different topic: the question is not whether PGP should gain more adoption and how to publish keys, if yes. The question is about choice between two keyserver networks: one is decentralized (and featureful), another is proprietary (and crippled). Is not the answer obvious?
signature.asc
Description: PGP signature
_______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss