Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 10 Oct 2014 15:15:46 -0400
From: David Leon Gil <>
To: Kristian Fiskerstrand <>
Cc: Daniel Kahn Gillmor <>,, 
	"" <>, Werner Koch <>,
Subject: Re: HKPS [was 0xdeadbeef]

So this doesn't get lost: I'm convinced by dkg and Kristian's
arguments: Use hkps with

GnuPG 2.1 will ship with hkps enabled by default, I believe, and
Kristian's CA. (I don't think 2.0 does yet.)

On Fri, Oct 10, 2014 at 12:27 PM, Kristian Fiskerstrand
<> wrote:
> You are quite correct that I probably wouldn't, and my primary income
> is from another industry, but at the same time that does bring a
> protection as I wouldn't be discouraged to fight any oppression.

I do agree about that.

And, in fact: I failed to thank you! I've used the SKS pool you
operate for many years. You provide a critical public service.

> Although for the root
> CAs the major problem is simply the amount of CAs accepted by standard
> implementations, several of which are run by various governments. In
> the end it comes down to what the threat model is and whom you're
> protecting yourself from.

Very much agreed; my particular threat model for this *isn't*
protection against the NSA. (Aside from perhaps protection from
traffic analysis.) It's protection against much weaker threats.

> Currently the only criteria for whether someone gets a certificate for
> a server in the pool is based on technical merits . . .

One thing that one can do (which I do when I don't have a copy of a
key in one of my local keydumps) is use the strategy of Tor's
"tlsdate": use a set of servers which are unlikely to be controlled by
the same adversary.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.