libreplanet-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: emailselfdefense.fsf.org indirectly recommends a proprietary service


From: Dmitry Alexandrov
Subject: Re: emailselfdefense.fsf.org indirectly recommends a proprietary service through the new Enigmail defaults
Date: Tue, 29 Oct 2019 11:23:15 +0300
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

Jean Louis <bugs@gnu.support> wrote:
> * Dmitry Alexandrov <address@hidden> [2019-10-28 17:53]:
>> the SKS keyserver network — the de-facto standard for years — is not 
>> [proprietary], it is a decentralized replicated network — like Usenet; while 
>> keys.openpgp.org, to carry on the analogy, is like Facebook.
>
> Yes, I would say it should be decentralized.

I did not expect any other answer here — at libreplanet-discuss.  The question 
is: what to do?  First of all, how to make that clear to those who do not see 
any danger in the situation — like Werner Koch?

> But I see the problem

What problem?

> and that problem is temporarily solved by that service.

In any case, if thatʼs a ‘solution’, I have much better one: cease to use email 
and PGP, and switch to, say, WhatsApp.

>> Maybe.  In meantime, SKS is _fully operational_.
>
> Is it?

Yes.  Dozens of keyservers are still there and provide all the services they 
used to provide.

> Is the security problem solved?

There was no any security problem.

There is a performance problem not in SKS but _in GnuPG_, that rendered it 
unusable for polluted ‘web of trust’.  It was ‘solved’ by disabling ‘web of 
trust’ functional by default.  It still can be enabled if you need it and ready 
to face GnuPGʼs bugs.  But most of GnuPGʼs users — including me and you — did 
not use ‘WoT’ anyway, so there is no any problem for them at all.

Please note, the proprietary keyserver does not provide support for ‘WoT’ at 
all.  It also lacks other features of SKS and impose arbitrary restrictions on 
you: for instance, you are not allowed to specify more that one email address.

But these are minor issues compared to the fact, that it is a walled garden 
specifically designed to collect all the data in a single place and keep it 
secret.

>> FWIW, I got your key from SKS network and have no idea, where else I could.  
>> You, I suppose, got mine in the same way.
>
> You would ask person. That is number one. You could find keys on websites, 
> but in general you ask people.
>
> Finding key on the server is not essential.

To repeat: I found you key on the keyserver, and have no clue where it could 
find else.

In other words, your statement is equivalent to “using encryption is not 
essential for mail exchange”.  Yes, it is not: I could mail you in cleartext 
and by all means would do that, if had not located your key.

> I do not even know did I publish it or not, I do not know.

Yes, you did.  And thatʼs the _only_ standard way you made it available:

        $ gpg --auto-key-locate=nodefault,cert,pka,dane,wkd,keyserver 
--locate-keys bugs@gnu.support
        gpg: error retrieving 'bugs@gnu.support' via DNS CERT: Not found
        gpg: error retrieving 'bugs@gnu.support' via PKA: Not found
        gpg: error retrieving 'bugs@gnu.support' via DANE: Not found
        gpg: error retrieving 'bugs@gnu.support' via WKD: No data
        gpg: key 12BC51224B9DC65C: "Jean Louis <bugs@gnu.support>" not changed
        gpg: Total number processed: 1
        gpg:              unchanged: 1
        gpg: automatically retrieved 'bugs@gnu.support' via keyserver
        pub   rsa2048 2016-11-13 [SC]
                  BFDFE35C128B5DF0E21E5F0812BC51224B9DC65C
        uid           [ unknown] Jean Louis <bugs@gnu.support>
        sub   rsa2048 2016-11-13 [E]

You do not use Autocrypt either, so itʼs extremely sad, that you did that 
unintentionally.  I wish PGP to gain more adoption.

But thatʼs entirely different topic: the question is not whether PGP should 
gain more adoption and how to publish keys, if yes.

The question is about choice between two keyserver networks: one is 
decentralized (and featureful), another is proprietary (and crippled).  Is not 
the answer obvious?

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]