> On Apr 14, 2020, at 12:35, brent s. <b...@square-r00t.net> wrote: > >> Excuse me if I sound like a troll. It is a valid question, because as you >> may know public keys on SKS keyservers can be knocked out or not so nice >> data can be added to them, thus not protecting users key. > > That is not how any of the attacks work. At all. A keyserver can be > brought down but that doesn't magically put the integrity of the keys at > risk to tampering. (If it did, you'd have an issue with GnuPG or PGP, > not SKS.) Users' keys are protected just fine.
Maybe I’m interpreting it differently, but I think Brent brings up a fair point
here. The so-called “posoined keys” with thousands of (bogus) signatures in SKS
are rendered useless. This happened to my key last year so now people have to
obtain it from other locations outside of SKS. I’m actually glad there are
alternate key server environments that help meet this need even if I don’t like
other things about said key servers.
> On Apr 14, 2020, at 12:46, Stefan Claas <s...@300baud.de> wrote:
>
> Todd Fleisher wrote:
>
>> So much this. Some of us have a legitimate need for what SKS provides that
>> can’t be accommodated by the new kids on the block like Hagrid & Mailvelope.
>> Neither supports third party signatures and the web of trust. I’ve reached
>> out to the Hagrid team about that & peering but People also seem to still be
>> actively using SKS for new & updated keys as well, based on the stats page.
>
> I have talked last year with the Mailvelope guys about other things, but they
> are very friendly. And I like to point out that Mailvelope keeps your
> Signatures and is probably the most secure key server as of today. The only
> thing missing AFAIK is the peering capabilities that SKS has, but I could
> imagine if you guys would show your support to the Mailvelope keyserver, the
> developemnt team would listen. At least worth a try.
That’s good to hear. I’ve heard of Mailvelope, but haven’t really looked at it
yet. Their site does specifically say “No Web of Trust” though, so I’m not sure
it’s accurate to say they support third party signatures.
However, there are other issues I’m already seeing where people & GPG software
packages are moving from SKS to Hagrid. Since the keys exist in both places,
but likely will only get updated on the “newer” key server you have to know
where to look for their most current key. There’s also Flowcrypt that maintains
their own key server, so I’m a little hesitant to say it’s a good thing to add
yet another key server to the mix for public consumption.
Finally, I know Hagrid doesn’t support wildcard domain searches. You have to
know exactly what email address or GPG key ID you are looking for. This is also
currently a show stopper for me as I use that combined with the web of trust to
discover and validate keys for multiple domains.
> On Apr 14, 2020, at 13:01, Stefan Claas <s...@300baud.de> wrote:
>
> I do not want to manipulate people('s opinion) and I am fine that you guys
> still operate your services, even if I can't understand why.
I think the simplest explanation is because people need and are using it (as
seen in these stats from my 2 environments: https://imgur.com/a/cQ2Kr5h
<https://imgur.com/a/cQ2Kr5h>). Also, in my experience, it currently doesn’t
take much time, effort, or resources on my end to keep it going. It’s certainly
less effort leaving it in place than tearing it all down, but the real reason
is it serves a useful function.
-T
signature.asc
Description: Message signed with OpenPGP
