[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: emailselfdefense.fsf.org indirectly recommends a proprietary service
Re: emailselfdefense.fsf.org indirectly recommends a proprietary service through the new Enigmail defaults
Mon, 28 Oct 2019 15:22:57 +0300
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
Jean Louis <email@example.com> wrote:
> * Dmitry Alexandrov <firstname.lastname@example.org> [2019-10-28 15:21]:
>> Even if FSF, like Werner Koch <email@example.com>, believes that there is nothing
>> wrong ethically with steering users to an isolated proprietary service, the
>> guide is simply incorrect factually.
> Do you refer to online service?
Yes, to https://keys.openpgp.org.
> Are not all websites proprietary? Even if they allow copying, websites still
> belong to somebody.
Yes, all websites are proprietary. However, not every type of online service
is. Or ‘network’, if you not like the word ‘service’.
In particular, the SKS keyserver network — the de-facto standard for years — is
not, it is a decentralized replicated network — like Usenet; while
keys.openpgp.org, to carry on the analogy, is like Facebook.
>> However, since the last week this is no longer true, as Patrick Brunschwig
>> <firstname.lastname@example.org>, an author of Enigmail, making use of a recently
>> exploited security flaw in SKS network, which the guide describes, changed
>> the default keyserver from the SKS round-robin pool, to a *proprietary
>> centralized service* , “one of whose initiators” he was, and which does
>> _not_ share the base with with SKS: as of now, it provides info for about 5
>> 000 email’s (SKS — for about 5 000 000 keys).
> I understand there is issue with SKS network
With GnuPG. And it had been quickly fixed (if disabling a feature could be
called a ‘fix’).
> and that Patrick found some solution to the problem.
Yes, and the solution was: silently (without consent or even notification)
alter both the defaults and any _manual configurations_ done, thus luring all
unsuspicious Enigmail users from the standard distributed network into some
freshly established private service, where centralized control over all the
data is _not_ a child illness, but a design. Clever, is not it?
> So far that is not running of proprietary software,
What does it matter, what software it runs: free or not , if I am not
allowed to run an own server of that network in any case?
> Centralized services we know by history, that shall be avoided.
Exactly. Especially when the distributed network not merely exists, but prior
that diversion was virtually the only choice.
> Maybe it is time to write new SKS-type of decentralized PGP servers as a new
Maybe. In meantime, SKS is _fully operational_.
> In my sphere of work we use GnuPG keys, but we do not use servers. It is not
> the only way to exchange PGP keys.
FWIW, I got your key from SKS network and have no idea, where else I could.
You, I suppose, got mine in the same way.
In any case, thatʼs irrelevant topic.
Description: PGP signature