-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/27/2015 05:26 PM, Patrick Brunschwig wrote: > On 27.02.15 13:11, Kristian Fiskerstrand wrote: >> On 02/27/2015 12:43 PM, Hauke Laging wrote: >>> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker: >> >>>> Maybe implementation with an opt-in could preserve >>>> publishing of faked keys on public keyservers? >> >>> We need keyservers which are a lot better that today's. IMHO >>> that also means that a keyserver should tell a client for each >>> offered certificate whether it (or a trusted keyserver) has >>> made such an email verification. >> >> The keyservers have no role in this, they are pure data store >> and can never act as a CA. That would bring up a can of worm of >> issues, both politically and legally, I wouldn't want to see the >> first case where a keyserver operator was sued for permitting a >> "fake key" (the term itself is very misleading, the key itself >> isn't fake at all, but a fully valid key where the UID has not >> been mated to its holder through proper validation). > > But that's the main primary reason of the article at all. The fact > that anyone can upload _every_ key to a keyserver is an issue. If
No, it is not, it has always been very clear no to rely on the existence of a key on either a keyserver or on a local keyring without proper verification and certification > keyservers would do some sort of verification (e.g. confirmation > of the email addresses) then this would lead to much more reliable > data. Furthermore, we need a feature to allow keys to be removed in > case the true owner of an email address requests it. Again, no it wont, a key could still be valid even though a second user adopts a domain name, what should happen to the first key on the keyserver in such an event, in particular if this is revoked, any activity from the keyservers on this could lead to misappropriation. This would be bad for the overall security of the network, it is a reason the keyservers are add only and should continue to remain so. > > I know that this collides with today's keyservers and it also > collides with keyservers exchanging keys between each other, but I > strongly believe that this would make keyservers more trustworthy > than today. It collides with security and is a bad idea. - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Nomina stultorum scribuntur ubique locorum Fools have the habit of writing their names everywhere -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJU8JvcAAoJEP7VAChXwav6qyEH/RtQlf3Y/hS02TByKbC/fYxt LunKjBEucWb06V3H+rU2og0SWwsnXhNq+LxHZsm8X6YaCKDT/zXjtUYyQzuqTbfH e6lBlXWJK/XyauXWi4RPNX2LhZkx8z+bRpMA6EcFvlZu/+jmWUDLXTCsypzpr77O Ex+G4Y6yJG4d/atJEMtjqeKPBwhvWCpDBA1Ar4SR5xiXDa3FtNQ/dYxCxDsGuwad Yk82YHSjeH1CMwmk1rLB1q/btaFwr7ZKeAR1ox8M9xBukfiCeYF09A3RtDPP/yHQ KTsFg5aaU0IksqJnsiVXOTbX1VRi4e6rho9O762nwbZSw7hfRHoDKOjWIyHsSQU= =vv+O -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
