[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Saturday, 8 August 2020 17:00:30 BST maceion@xxxxxxxxx wrote: > > Any comment from you knowledgeable folk about key servers? Last time I looked, and it was a long long time ago, nearly all the major key servers were running versions of key signing software with known security flaws. Now in theory this doesn't matter, since the security of the chain is dependent on the keys themselves, meanwhile in practice if you can keep stale material current, reject new key material, or flood bad, or fake material, you get to play games that key servers should seek to suppress. Back then most key servers didn't fully grasp subkeys, and some didn't even handle them. I'd be surprises if the situation was quiet as bad as regards software maintenance as I'm sure more of these packages are in distros by now. I'm be surprised if the situation was fantastic, unless the main key server operators have deliberately undertaken work to make it so. Note also since this I had discussion on FB with the chap who invented the whole web of trust, he apparently regards it as a mistake. Trust doesn't work like that. So whilst keyservers may be a convenient way of distributing certain keys, how you establish trust in those keys is another question entirely, hopefully by a slightly more formal process than the web of trust. -- The Mailing List for the Devon & Cornwall LUG https://mailman.dcglug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq