Am Fr 27.02.2015, 13:11:33 schrieb Kristian Fiskerstrand: > > We need keyservers which are a lot better that today's. IMHO that > > also means that a keyserver should tell a client for each offered > > certificate whether it (or a trusted keyserver) has made such an > > email verification. > > The keyservers have no role in this, they are pure data store and can > never act as a CA.
That is not a higher truth which must not be breached. The other way round it is correct, though: It must be possible to run a keyserver without making any statements about the certificates. > That would bring up a can of worm of issues, both > politically and legally, I wouldn't want to see the first case where a > keyserver operator was sued for permitting a "fake key" (the term > itself is very misleading I would consider taking that to court ridiculous (for several reasons, one being the (also ridiculous) class 1 X.509 certifications) but it makes obviously little sense for us to make a mandatory assessment for the whole world. That is a decision which everyone who runs a keyserver (or intends to) should make himself. This need not be implemented by the keyserver making signatures. It would be enough if there were certificate attributes in the keyserver answer. That way these certificates could not easily become valid by some not so clever user giving full certification trust to the keyserver's own certificate. > People need to understand that operational security is critical for > any security of a system and validate the key through secondary > channel (fingerprint, algorithm type, key length etc verifiable > directly or through probabilistic measures e.g. based on historical > postings on mailing lists over a long time for a project etc). I could hardly agree more but it is easy to join the "People need to understand" game if you are on a mailing list. This becomes much harder if you have been working on spreading OpenPGP usage in the nasty real world for a while. Like I have. For more than two years I have been teaching people myself, seen what is done (and what isn't) at Cryptoparties, have tried to use universities and schools for gaining new users. So what do we talk about here if in good approximation nobody outside this mailing list gives a^W^W cares about that? We are going to lose this if we don't make usable offers. And in case it is not already well known here: I am at the security extremist end of the spectrum. I think both OpenPGP and GnuPG are not good enough yet in supporting high level security. I am just not willing to ignore the other 99.3%. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
