Hacker News new | past | comments | ask | show | jobs | submit login

How does one list a public PGP key, is there a verified central listing service?



One of the major features of PGP is that you don't have to rely on -- trust -- a "verified central listing service".

The "Web of Trust" [0] fills that role:

> As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.

[0]: https://en.wikipedia.org/wiki/Web_of_trust


In practice a web of trust is only trustworthy 1 degree out from you. Just because you trust someone doesn't mean you should trust the people they trust. The web of trust is a difficult to use misfeature. In theory it's great. In practice it's unusable.


The problem is nobody uses this right


If you control your own domain, Web Key Directory [0] is a good option too.

[0]: https://wiki.gnupg.org/WKD


You can put it on your website or anywhere really. Some people use keybase.io for this.


You can't put it anywhere really, otherwise anyone could tie their key to your identity. Keybase.io is a good solution.


You're technically correct of course.


I guess they mean putting the key on a webpage or using Web Key Directory or a centralized service such as https://keys.openpgp.org


There used to be a bunch of those in the 90s and it was a mess.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: