Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 10 Oct 2014 11:47:28 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: David Leon Gil <coruus@...il.com>, oss-security@...ts.openwall.com
CC: "gnupg-devel@...pg.org" <gnupg-devel@...pg.org>,
 Werner Koch <wk@...pg.org>, thijs@...ian.org
Subject: Re: 0xdeadbeef comes of age: making keysteak with GnuPG

On 10/10/2014 11:06 AM, David Leon Gil wrote:
> (In summary: If you don't use the WoT, get OpenPGP keys via HTTPS.
> E.g.: keybase.io or pgp.mit.edu (the latter thanks to Yan Zhu's
> lobbying).)

If we're going to advocate for accessing keyservers via https (which i
think is a lovely idea, even if it doesn't mitigate all possible
attacks), it's worth advocating for the well-curated
hkps.pool.sks-keyservers.net [0], rather than encouraging everyone to
flood either https://keybase.io or https://pgp.mit.edu with traffic.

I agree with David and Thijs that OpenPGP v3 keys are long overdue for
the chopping block.

	--dkg

[0] https://sks-keyservers.net/overview-of-pools.php#pool_hkps


Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.