Hacker News new | past | comments | ask | show | jobs | submit login

How does one list a public PGP key, is there a verified central listing service?

One of the major features of PGP is that you don't have to rely on -- trust -- a "verified central listing service".

The "Web of Trust" [0] fills that role:

> As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.

[0]: https://en.wikipedia.org/wiki/Web_of_trust

In practice a web of trust is only trustworthy 1 degree out from you. Just because you trust someone doesn't mean you should trust the people they trust. The web of trust is a difficult to use misfeature. In theory it's great. In practice it's unusable.

The problem is nobody uses this right

If you control your own domain, Web Key Directory [0] is a good option too.

[0]: https://wiki.gnupg.org/WKD

You can put it on your website or anywhere really. Some people use keybase.io for this.

You can't put it anywhere really, otherwise anyone could tie their key to your identity. Keybase.io is a good solution.

You're technically correct of course.

I guess they mean putting the key on a webpage or using Web Key Directory or a centralized service such as https://keys.openpgp.org

There used to be a bunch of those in the 90s and it was a mess.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact