Andrei POPESCU [2019-07-08T10:28:59+03] wrote: > What would be the alternative to SKS keyservers? Not "the" alternative but keyserver-wise there is <https://keys.openpgp.org/> which I mentioned and which uses different software. There are also other key delivery methods like WKD or just publish your key somewhere in the net. >> If you happen to download a huge poisoned key from an SKS keyserver >> the above mentioned options protect your local keyring from getting >> unknown key signatures. The checking can take some time, though. > > As in processing or downloading time? My systems are quite low powered > (fanless). Mostly processing time as "keyserver-option import-clean" has to check every key signature of the downloaded key against the local keyring. Anyway, that option should be enabled if you use SKS keyservers and don't want to import huge spammed keys to your local keyring. >> There is also <https://keys.openpgp.org>, a keyserver which doesn't >> distribute third-party signatures at all. > > If my understanding is correct it enables only a very limited use-case > (download keys to be able to check signatures). > > One still has to publish keys with signatures somehow... keys.openpgp.org doesn't distribute third-party signatures. That's one way to prevent key signature spamming. Usually third-party key signatures (web of trust) are useful only within a specific project or other group of people who can verify each other's keys. If one's circles are small they can just export and send key to their friends. An established community can deliver keys through their mailing list, file storage, web site or WKD service. SKS keyservers are handy but because they are spammable (and are being spammed) some people are starting to move elsewhere. For example, in this discussion we realized that Debian developer Donald Norwood's (who signed Debian 10 release announcement) updated key wasn't found in the SKS keyservers but debian.org's WKD service returns more up-to-date key. I can see that this is happening: SKS keyservers will not be used as actively anymore and we can't get everything from there. There will be other keyserver implementations and other key delivery methods which have more restrictive settings so that key signature spamming won't be as easy. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tlikonen@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen
Attachment:
signature.asc
Description: PGP signature