Another possible listing place is keybase.io. It takes a slightly different approach to key validation. The basic idea is that you demonstrate your control of the matching private key by using it to sign proofs on various platforms (websites, social media, etc), that keybase tracks and validates. People can confirm that at least the person who controls the domain name, or website or twitter or some others, also has access to the private key. So, if you think they'd have noticed if they lost control of those things and somehow let you know, then it's reasonable to infer that it's really them that provided the public key.
On Fri, Feb 4, 2022 at 8:51 PM Randy Bush <ra...@psg.com> wrote: > > > Is PGP still an OK way to encrypt a document to send > > securely as an attachment via email? > > we use it > > > Is there a "phonebook" of trustworthy PGP public keys? > > `gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com` > > is my fave. half-assed baroque doc at > https://git.rg.net/randy/randy/src/master/pgp-WKD.md > but i suggest https://wiki.gnupg.org/WKDHosting > > then there are the public keyrings. a priori they are not at all safe. > but if you can confirm signatures on keys there, ... welcome to the web > of trust. > > the key repos suck. the classics, pool.sks-keyservers.net, are pretty > rotten, broken much of the time. pgp.uni-mainz.de is more reliable than > most of that set. > > the new hipster rings, hkps://keys.openpgp.org, also suck, just > differently. > > randy > > --- > ra...@psg.com > `gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com` > signatures are back, thanks to dmarc header butchery
