General Question: What is the state of the GPG keyservers ecosystem?

KMP's Avatar

KMP

10 Jul, 2022 03:42 PM

As indicated, this is a general question and I’m okay if you have a reference to punt this to…

But I’m wondering about keyservers and if there is still a “web of trust” in 2022.

Clearly, with spam issues and attacks against the infrastructure and processes there was a need for keys.openpgp.org. I haven’t followed things as closely as I was when I first started with PGP, but I’m trying to reset expectations (the previous being that “theoretically” all keyservers would eventually distribute all keys.

So, from the perspective of the team, how obsolete is that idea? Is it that there is still a network of keyservers or are there separate networks based on technology, protocols of key verification, measures to protect email identities, and or usage profiles?

I was used to using tools on macOS to verify keys and occasionally signed signed package downloads for other platforms - this doesn’t seem to work as well as the UI really wants to encourage me to just use the default keyserver. The other thing that doesn’t seem to work is having people using Thunderbird for Linux whose keys are… where?

And/or, to what extent have most people migrated to a TOFU policy?

This is sort of a FAQ, but also I’d love some clarity on what is current practice. Thanks!

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac