libreplanet-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: emailselfdefense.fsf.org indirectly recommends a proprietary service


From: Dmitry Alexandrov
Subject: Re: emailselfdefense.fsf.org indirectly recommends a proprietary service through the new Enigmail defaults
Date: Mon, 28 Oct 2019 15:22:57 +0300
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

Jean Louis <bugs@gnu.support> wrote:
> * Dmitry Alexandrov <address@hidden> [2019-10-28 15:21]:
>> Even if FSF, like Werner Koch <address@hidden>, believes that there is 
>> nothing wrong ethically with steering users to an isolated proprietary 
>> service, the guide is simply incorrect factually.
>
> Do you refer to online service?

Yes, to https://keys.openpgp.org.

> Are not all websites proprietary? Even if they allow copying, websites still 
> belong to somebody.

Yes, all websites are proprietary.  However, not every type of online service 
is.  Or ‘network’, if you not like the word ‘service’.

In particular, the SKS keyserver network — the de-facto standard for years — is 
not, it is a decentralized replicated network — like Usenet; while 
keys.openpgp.org, to carry on the analogy, is like Facebook.

>> However, since the last week this is no longer true, as Patrick Brunschwig 
>> <address@hidden>, an author of Enigmail, making use of a recently exploited 
>> security flaw in SKS network, which the guide describes, changed the default 
>> keyserver from the SKS round-robin pool, to a *proprietary centralized 
>> service* [2], “one of whose initiators” he was, and which does _not_ share 
>> the base with with SKS: as of now, it provides info for about 5 000 email’s 
>> (SKS — for about 5 000 000 keys).
>
> I understand there is issue with SKS network

With GnuPG.  And it had been quickly fixed (if disabling a feature could be 
called a ‘fix’).

> and that Patrick found some solution to the problem.

Yes, and the solution was: silently (without consent or even notification) 
alter both the defaults and any _manual configurations_ done, thus luring all 
unsuspicious Enigmail users from the standard distributed network into some 
freshly established private service, where centralized control over all the 
data is _not_ a child illness, but a design.  Clever, is not it?

> So far that is not running of proprietary software,

What does it matter, what software it runs: free or not [0], if I am not 
allowed to run an own server of that network in any case?

[0] https://www.gnu.org/philosophy/network-services-arent-free-or-nonfree.html

> Centralized services we know by history, that shall be avoided.

Exactly.  Especially when the distributed network not merely exists, but prior 
that diversion was virtually the only choice.

> Maybe it is time to write new SKS-type of decentralized PGP servers as a new 
> software.

Maybe.  In meantime, SKS is _fully operational_.

> In my sphere of work we use GnuPG keys, but we do not use servers. It is not 
> the only way to exchange PGP keys.

FWIW, I got your key from SKS network and have no idea, where else I could.  
You, I suppose, got mine in the same way.

In any case, thatʼs irrelevant topic.

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]