Re: “Keyservers are actually useless these days and I wish they could go away”

[Dmitry Alexandrov]

Werner Koch <wk@gnupg.org> wrote:
> Keyservers are actually useless these days and I wish they could go away.

An advocate of the ‘Web of Trust’ hardly agrees with that.  I am not the one, 
however I’m really intrigued — what do you suggest to use instead.

> Looking up key at a keyserver does not give you any indication that the key 
> belongs to the claimed mail address.

But they was never intended to do so, was they?  They are mean to reliably 
_publish_ your key, and they have been doing their job fairly well, as far as I 
can tell.  What might the substitute?  Bittorrent?  Blockchain?

> A validating key server tries to fix this by claiming authority to check the 
> mail.

That’s an interesting sociotechnical task, but the topical issue is not about 
verifying vs non-verifying.

I believe, nobody opposes to running a proprietary service for distributing 
keys, verifying or not, gratis or paid (yes, why not?).  Setting it as a 
default is what I see as a dubious act.

Moreover, I suppose, few would have anything against a default server that also 
optionally performs an email / SIP / GNU Social / whatever check, as long it’s 
not a walled garden like keys.opengpg.org, that is detached from the de-facto 
standard network (that was SKS) and therefore breaks seamless compatibility 
between various GPG frontends and GPG-compatible clients.


Actually, if I am not mistaken, before the SKS-based WoT practically went out 
of operation after the DoS-attack, doing that did not require any changes 
neither in SKS, nor in GPG: a server could check the email and sign a key, and 
a frontend check its signature — that’s all.  Or am I mistaken?

> However, this gets us back into the X.509 centralized world.

But that does not, so long as no one is forbidden to run yet another verifier, 
connected to the common WoT.

signature.asc
Description: PGP signature