Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't see why you don't just get the key once, allow you to verify it, and store it locally. It seems pointless to make all these extra requests to you.

There's a reason that gpg does this..... Maria's twitter being hacked, Maria's github being hacked, Maria's Keystore being hacked....a lot can go wrong.

There are still weaknesses like, you lie about a github and link to your own github, and lie about the public key. And...many others.




I don't see how this is any better than a keyserver and just asking confirming their GPG fingerprint by some other means. Not knowing someone and guessing that their fingerprint is right from some third party is very sketchy because it doesn't use a trustworthy, authoritative source (the other person).

Also, WoT works best when people meet other people they trust in person and sign each other's keys as the GNU/Linux community encourages. https://www.kernel.org/signature.html Then it's possible to get other people's keys elsewhere on the planet and know they're probably good given they're signed by someone you trust.


What the GNU/Linux community encourages is clearly not being useful for making lots of people use PGP.


Then let's make apps that explain i) how it works with pictures and ii) exchange keys more easily: say share key ids with barcodes.

GPG mail plugins that popup a barcode that someone else can scan with their laptop's webcam or some mobile app.

GPG mail plugins should also have a search toolbar that can quickly get a key so it can be verified.

Mobile platforms must support GPG natively, many only support S/MIME.


yes, it does do this; once you're satisfied with maria's identity, that she's the person you want, you sign a statement to that effect, which you can store just locally or post back to the server. (or of course you can just sign her key in GPG!) The latter - posting back to the server - is for portability reasons. A keybase user will likely use keybase on multiple machines.


The point of SKS is signing keys each other's keys and being distributed. This just fragments into a SPoF service without making the existing ones better.


Perhaps I don't understand the whole keyserver concept... But how is a keyserver not a centralised "IdP" like construct?


PGP keyservers talk to each other, if you send your key to GnuPG keyserver it'll end up on MIT's keyserver pretty soon.


Thanks. The WoT depends on not trusting the keyservers, but trusting that humans on the other end know whom to trust and get them to countersign each other's keys.

SSL CAs:GnuPG (GPG/PGP) -> Subversion:Git




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: