On Sat, Oct 18, 2014 at 10:25:19PM -0700, Daniel Roesler wrote: > Howdy all, as always, if this is off topic, please direct me to the > appropriate mailing list.
Something more like cpunks or some gnupg list would probably be more on topic. > Today I randomly visited http://keys.gnupg.net/, which appears to be > loading various compromised and broken pages[1][2], which was > confirmed by Zaki and Rhodey[3]. keys.gnupg.net is a DNS round robin pointing to several hosts run by different parties. This works just fine if you depend on the PGP Web of Trust for your authenticity and privacy, because mutually untrusting hosts in different administrative domains can provide assertions and ones that misbehave can be ignored or whatever. This model works much less well when crossed with the TLS X.509 certification scheme, where a Trusted Third Party is expected to attest that a specific Private Key entitles the posessor to complete control of traffic associated with the given name. As a result, https:// and hkps:// protocols are are more or less fundamentally incompatible with volunteer-operated multi-organizational load sharing schemes based on DNS round robin records. > keys.gnupg.net is the default keyserver for which GPG on my Xubuntu > 14.04 sends and receives keys, so I'd presume this is not expected > behavior. The catch is that most Internet users now assume that HTTP is the only (or at least the preeminent) way to use the internet. DNS round robin application schemes harken back to an earlier, multiprotocol Internet. -andy _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
