D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Public Key Servers

 

On Wed, Aug 12, 2020 at 04:11:46PM +0100, Simon Waters wrote:
> On Saturday, 8 August 2020 17:00:30 BST maceion@xxxxxxxxx wrote:
> >
> > Any comment from you knowledgeable folk about key servers?
> 
> Last time I looked, and it was a long long time ago, nearly all the major key 
> servers were running versions of key signing software with known security 
> flaws.
> 
> Now in theory this doesn't matter, since the security of the chain is 
> dependent on the keys themselves, meanwhile in practice if you can keep stale 
> material current, reject new key material, or flood bad, or fake material, you 
> get to play games that key servers should seek to suppress.
> 
> Back then most key servers didn't fully grasp subkeys, and some didn't even 
> handle them. I'd be surprises if the situation was quiet as bad as regards 
> software maintenance as I'm sure more of these packages are in distros by now.
> 
> I'm be surprised if the situation was fantastic, unless the main key server 
> operators have deliberately undertaken work to make it so.
> 
> Note also since this I had discussion on FB with the chap who invented the 
> whole web of trust, he apparently regards it as a mistake. Trust doesn't work 
> like that. So whilst keyservers may be a convenient way of distributing 
> certain keys, how you establish trust in those keys is another question 
> entirely, hopefully by a slightly more formal process than the web of trust.
> 

Rant: I wish some of the life companies who use PGP published their keys as 
opposed to removing all reference to them from their websites.




-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dcglug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq