[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Wed, Aug 12, 2020 at 04:11:46PM +0100, Simon Waters wrote: > On Saturday, 8 August 2020 17:00:30 BST maceion@xxxxxxxxx wrote: > > > > Any comment from you knowledgeable folk about key servers? > > Last time I looked, and it was a long long time ago, nearly all the major key > servers were running versions of key signing software with known security > flaws. > > Now in theory this doesn't matter, since the security of the chain is > dependent on the keys themselves, meanwhile in practice if you can keep stale > material current, reject new key material, or flood bad, or fake material, you > get to play games that key servers should seek to suppress. > > Back then most key servers didn't fully grasp subkeys, and some didn't even > handle them. I'd be surprises if the situation was quiet as bad as regards > software maintenance as I'm sure more of these packages are in distros by now. > > I'm be surprised if the situation was fantastic, unless the main key server > operators have deliberately undertaken work to make it so. > > Note also since this I had discussion on FB with the chap who invented the > whole web of trust, he apparently regards it as a mistake. Trust doesn't work > like that. So whilst keyservers may be a convenient way of distributing > certain keys, how you establish trust in those keys is another question > entirely, hopefully by a slightly more formal process than the web of trust. > Rant: I wish some of the life companies who use PGP published their keys as opposed to removing all reference to them from their websites. -- The Mailing List for the Devon & Cornwall LUG https://mailman.dcglug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq