sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6 million

From: Todd Fleisher
Subject: Re: 6 million
Date: Tue, 14 Apr 2020 13:41:35 -0700
On Apr 14, 2020, at 12:35, brent s. <address@hidden> wrote:

Excuse me if I sound like a troll. It is a valid question, because as you
may know public keys on SKS keyservers can be knocked out or not so nice
data can be added to them, thus not protecting users key.

That is not how any of the attacks work. At all. A keyserver can be
brought down but that doesn't magically put the integrity of the keys at
risk to tampering. (If it did, you'd have an issue with GnuPG or PGP,
not SKS.) Users' keys are protected just fine.

Maybe I’m interpreting it differently, but I think Brent brings up a fair point here. The so-called “posoined keys” with thousands of (bogus) signatures in SKS are rendered useless. This happened to my key last year so now people have to obtain it from other locations outside of SKS. I’m actually glad there are alternate key server environments that help meet this need even if I don’t like other things about said key servers.

On Apr 14, 2020, at 12:46, Stefan Claas <address@hidden> wrote:

Todd Fleisher wrote:

So much this. Some of us have a legitimate need for what SKS provides that
can’t be accommodated by the new kids on the block like Hagrid & Mailvelope.
Neither supports third party signatures and the web of trust. I’ve reached
out to the Hagrid team about that & peering but  People also seem to still be
actively using SKS for new & updated keys as well, based on the stats page.

I have talked last year with the Mailvelope guys about other things, but they
are very friendly. And I like to point out that Mailvelope keeps your
Signatures and is probably the most secure key server as of today. The only
thing missing AFAIK is the peering capabilities that SKS has, but I could
imagine if you guys would show your support to the Mailvelope keyserver, the
developemnt team would listen. At least worth a try.

That’s good to hear. I’ve heard of Mailvelope, but haven’t really looked at it yet. Their site does specifically say “No Web of Trust” though, so I’m not sure it’s accurate to say they support third party signatures.

However, there are other issues I’m already seeing where people & GPG software packages are moving from SKS to Hagrid. Since the keys exist in both places, but likely will only get updated on the “newer” key server you have to know where to look for their most current key. There’s also Flowcrypt that maintains their own key server, so I’m a little hesitant to say it’s a good thing to add yet another key server to the mix for public consumption.

Finally, I know Hagrid doesn’t support wildcard domain searches. You have to know exactly what email address or GPG key ID you are looking for. This is also currently a show stopper for me as I use that combined with the web of trust to discover and validate keys for multiple domains.

On Apr 14, 2020, at 13:01, Stefan Claas <address@hidden> wrote:

I do not want to manipulate people('s opinion) and I am fine that you guys
still operate your services, even if I can't understand why.

I think the simplest explanation is because people need and are using it (as seen in these stats from my 2 environments: https://imgur.com/a/cQ2Kr5h). Also, in my experience, it currently doesn’t take much time, effort, or resources on my end to keep it going. It’s certainly less effort leaving it in place than tearing it all down, but the real reason is it serves a useful function.

-T

Attachment: signature.asc
Description: Message signed with OpenPGP

reply via email to
[Prev in Thread] Current Thread [Next in Thread]