Date: Sun, 10 Dec 2017 16:31:53 -0500 From: Phil Pennock <oss-security-phil@...dhuis.org> To: oss-security@...ts.openwall.com Subject: Re: Re: Recommendations GnuPG-2 replacement On 2017-12-10 at 14:16 +0100, Marcus Brinkmann wrote: > Another idea I am contemplating is running my own little keyserver that > does only email verification. It's like registering for a website, but > without a website. People are familiar with the concept, it gives at > least the assurance that somebody (me) verified the email address, and > it allows revocation. Prior art to consider and inform your decisions: * 0x9710B89BCA57AD7C -- PGP Global Directory Verification Key + Now part of Symantec; upload key, do verification steps via email, get signature * 0x2BAE3CF6DAFFB000 -- ct magazine -- pgpCA@...heise.de + Some years back a German technical magazine apparently made a big push to get people using OpenPGP and had their own verification service * WKS in the current (>= 2.1.15) GnuPG releases, built with optional ./configure flag, <https://wiki.gnupg.org/WKS> + Software to be run by the mail-provider for a given domain, to act as a trusted introducer and move away from the public keyservers. Like finger:// but without shell access to set .pubkey|.plan files. Requires a fair bit of setup, if nothing ships with support out-of-the-box. Is one of the auto-key-locate options for GnuPG, under name `wkd`. KMail has built-in support Good luck! -Phil
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ