On 30/06/2019 13:44, Robert J. Hansen wrote: > This has all the hallmarks of a child playing with matches and > clapping with glee as the house catches fire.
I think not. You yourself say that the SKS system has had known problems for well over a decade and yet nothing has been done about it. In other words, inertia has overruled both prudence and strategic avoidance of predictable problems[1]. Well, someone has now brought widespread attention to the issue. By poisoning the certificate of (at least) two very high-profile members of this community, they have brought absolutely unavoidable attention to the fact that something needs to be done *now*. As things stand, it's still not too late for something to be done to protect the vast majority of users and use cases. Good can come of this attack on you and DKG. Yes, as you say in your Gist, the attackers could have come to you and worked together. But I can also understand why they didn't: This approach has made waves, and sometimes waves are necessary to wake up a community that really knows it should be taking action but hasn't done so. Both you and DKG are clearly furious that you were targetted (and rightly so!) but if 'lesser' members of the community had been attacked in this way it's entirely possible that either no one would have noticed or that it would not have had the radical shake up effect that this is now having. I'm not condoning an attack like this. In the UK (where I am located) it is likely to be illegal, and it is probably illegal in other jurisdictions. But I just don't see a "child [...] clapping with glee". Instead it seems to me that the net result is that long overdue action is now taking place. Thank you for all your input into OpenPGP. Yes, it's made you a target. But, despite the seemingly personal nature of this, it does seem that good can come of it. (And for the avoidance of doubt: I do not know who was behind this and it was not me.) Footnote:- 1: You referred to this inertia as "powerful technical and social factors" which is true but they still represent a bug, not a feature. These factors are in effect societal excuses, not legitimate reasons for lack of action. As I write this, I fully appreciate the fact that very few people receive remuneration for writing code or maintaining key servers (or much of anything else connected with OpenPGP). But again, perhaps this is also a bug of sorts. Perhaps there does need to be a way for critical non-hierarchical Internet infrastructure like this to be financed. Isn't Eric S. Raymond working on something like this right now? -- Mark Rousell
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
