> I think the time has come where we have to re-evaluate what the > keyservers are *for*. Once we answer that, we answer what should be > done about it.
I agree, although I think maybe you're not taking it far enough. What threats should we be defending against? The original idea of a keyserver network came out of the early 1990s. It was the product of that vision -- where even liberal democracies of the West were tightly controlling crypto and the general belief was that even nations like the US and UK might make it illegal to use strong crypto. We also believed governments would try to coerce keyserver operators into cooperating with man-in-the-middle attacks, and that keyservers would be high-value targets because they were the principal way people could look up certificates. This vision informed pretty much every single engineering decision that went into the keyserver network. It is still the vision influencing the keyserver network today. It is also, as near as I can tell, batshit nonsense. AFAIK, _no_ keyserver operator in the West has ever been served with a court instrument compelling cooperation with MITM attacks or removing a key from the server or whatever. In 26 years this fear has literally never come to pass. Maybe we should rethink our threat model. _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
