[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: indirectly recommends a proprietary service

From: Jean Louis
Subject: Re: indirectly recommends a proprietary service through the new Enigmail defaults
Date: Mon, 28 Oct 2019 16:27:26 +0530
User-agent: Mutt/1.10.1 (2018-07-13)

* Dmitry Alexandrov <> [2019-10-28 15:21]:
> Even if FSF, like Werner Koch <>, believes that there is
> nothing wrong ethically with steering users to an isolated
> proprietary service, the guide is simply incorrect factually.

Do you refer to online service?

Are not all websites proprietary? Even if they allow copying, websites
still belong to somebody.

> However, since the last week this is no longer true, as Patrick
> Brunschwig <>, an author of Enigmail, making use
> of a recently exploited security flaw in SKS network, which the
> guide describes, changed the default keyserver from the SKS
> round-robin pool, to a *proprietary centralized service* [2], “one
> of whose initiators” he was, and which does _not_ share the base
> with with SKS: as of now, it provides info for about 5 000 email’s
> (SKS — for about 5 000 000 keys).

> [2]

I understand there is issue with SKS network and that Patrick found
some solution to the problem. So far that is not running of
proprietary software, it is more a solution to the problem that exists
in society in form of the online service.

Centralized services we know by history, that shall be avoided.

Maybe it is time to write new SKS-type of decentralized PGP servers as
a new software.

In my sphere of work we use GnuPG keys, but we do not use servers. It
is not the only way to exchange PGP keys. I rather rely on what author
or PGP key owner tells me then what a key server tells me.

Then in the next step, if the key is from a webserver or from a
supposed email address that belong to the person in question, one
shall call the person or meet face to face or otherwise make sure that
the key belongs to the person. That is done by verification of
fingerprints. Verification is never good enough if one have not seen
person face to face or talked by phone by knowing firmly that the
voice on the phone really belongs to the person. Isn't it?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]