Hi! Just for the records
> Oh, I didn't know, I was advised yesterday on another irc channel > (#debian-facile) to change my key server: > > "They were ('keys.gnupg.net' and others) all flooded with fake keys > mid-2019 You can't talk about fake key on a keyserver. That is not the task of a keyserver. A keyserver is just a place to store arbitrary keys. The user needs to make sure whether the key is authentic. The actual DoS problem was that the keyservers also carry key signatures. This led to some very large keys (due to arbitrary added key signature) which took very long for gpg to check. This has meanwhile been fixed by gpg by not importing 3rd party key-signatures anymore. There is actual no way in an system, which on purpose is distributed and non-controlled - to inhibit the storage of keys. The keyserver protocol unfortunately has had no specification on how to inhibit the addition of arbitrary key signatures for example by allowing uploads of new key-signatures only by data signed by the actual key. keys.openpgp.net OTOH does away with the concept of a decentralized system and tries again (like PGP.com and keyserver.org 20 years ago) to establish a single source for keys. That is not for what PGP and thus GnuPG where invented. Federation is okay for keyserver, but a central authority is not desirable. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users