[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: emailselfdefense.fsf.org indirectly recommends a proprietary service
Re: emailselfdefense.fsf.org indirectly recommends a proprietary service through the new Enigmail defaults
Tue, 29 Oct 2019 11:23:15 +0300
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
Jean Louis <email@example.com> wrote:
> * Dmitry Alexandrov <firstname.lastname@example.org> [2019-10-28 17:53]:
>> the SKS keyserver network — the de-facto standard for years — is not
>> [proprietary], it is a decentralized replicated network — like Usenet; while
>> keys.openpgp.org, to carry on the analogy, is like Facebook.
> Yes, I would say it should be decentralized.
I did not expect any other answer here — at libreplanet-discuss. The question
is: what to do? First of all, how to make that clear to those who do not see
any danger in the situation — like Werner Koch?
> But I see the problem
> and that problem is temporarily solved by that service.
In any case, if thatʼs a ‘solution’, I have much better one: cease to use email
and PGP, and switch to, say, WhatsApp.
>> Maybe. In meantime, SKS is _fully operational_.
> Is it?
Yes. Dozens of keyservers are still there and provide all the services they
used to provide.
> Is the security problem solved?
There was no any security problem.
There is a performance problem not in SKS but _in GnuPG_, that rendered it
unusable for polluted ‘web of trust’. It was ‘solved’ by disabling ‘web of
trust’ functional by default. It still can be enabled if you need it and ready
to face GnuPGʼs bugs. But most of GnuPGʼs users — including me and you — did
not use ‘WoT’ anyway, so there is no any problem for them at all.
Please note, the proprietary keyserver does not provide support for ‘WoT’ at
all. It also lacks other features of SKS and impose arbitrary restrictions on
you: for instance, you are not allowed to specify more that one email address.
But these are minor issues compared to the fact, that it is a walled garden
specifically designed to collect all the data in a single place and keep it
>> FWIW, I got your key from SKS network and have no idea, where else I could.
>> You, I suppose, got mine in the same way.
> You would ask person. That is number one. You could find keys on websites,
> but in general you ask people.
> Finding key on the server is not essential.
To repeat: I found you key on the keyserver, and have no clue where it could
In other words, your statement is equivalent to “using encryption is not
essential for mail exchange”. Yes, it is not: I could mail you in cleartext
and by all means would do that, if had not located your key.
> I do not even know did I publish it or not, I do not know.
Yes, you did. And thatʼs the _only_ standard way you made it available:
$ gpg --auto-key-locate=nodefault,cert,pka,dane,wkd,keyserver
gpg: error retrieving 'email@example.com' via DNS CERT: Not found
gpg: error retrieving 'firstname.lastname@example.org' via PKA: Not found
gpg: error retrieving 'email@example.com' via DANE: Not found
gpg: error retrieving 'firstname.lastname@example.org' via WKD: No data
gpg: key 12BC51224B9DC65C: "Jean Louis <email@example.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: automatically retrieved 'firstname.lastname@example.org' via keyserver
pub rsa2048 2016-11-13 [SC]
uid [ unknown] Jean Louis <email@example.com>
sub rsa2048 2016-11-13 [E]
You do not use Autocrypt either, so itʼs extremely sad, that you did that
unintentionally. I wish PGP to gain more adoption.
But thatʼs entirely different topic: the question is not whether PGP should
gain more adoption and how to publish keys, if yes.
The question is about choice between two keyserver networks: one is
decentralized (and featureful), another is proprietary (and crippled). Is not
the answer obvious?
Description: PGP signature