Date: Fri, 10 Oct 2014 11:47:28 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: David Leon Gil <coruus@...il.com>, oss-security@...ts.openwall.com CC: "gnupg-devel@...pg.org" <gnupg-devel@...pg.org>, Werner Koch <wk@...pg.org>, thijs@...ian.org Subject: Re: 0xdeadbeef comes of age: making keysteak with GnuPG On 10/10/2014 11:06 AM, David Leon Gil wrote: > (In summary: If you don't use the WoT, get OpenPGP keys via HTTPS. > E.g.: keybase.io or pgp.mit.edu (the latter thanks to Yan Zhu's > lobbying).) If we're going to advocate for accessing keyservers via https (which i think is a lovely idea, even if it doesn't mitigate all possible attacks), it's worth advocating for the well-curated hkps.pool.sks-keyservers.net , rather than encouraging everyone to flood either https://keybase.io or https://pgp.mit.edu with traffic. I agree with David and Thijs that OpenPGP v3 keys are long overdue for the chopping block. --dkg  https://sks-keyservers.net/overview-of-pools.php#pool_hkps Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ