[Cryptography] Privacy-enhanced OpenPGP
Florian Weimer
fw at deneb.enyo.de
Thu Sep 29 03:31:38 EDT 2016
OpenPGP for use in email was (deliberately?) designed in such a way
that key servers obtain a pretty accurate picture of who is talking to
whom: Ideally, before encrypting a message or checking a signature,
you should reach out to a key server to see if a revocation has been
uploaded since the last use of the key.
Even if you do not perform automated key updates, when you have to
reply to an encrypted message from a new sender, you still need to
contact the key servers because OpenPGP-encrypted messages do not
include the public key of the sender.
(This privacy leak even made it into a Dan Brown novel, but I forgot
which one.)
Is there software which can do something about this? I could run a
key server locally and download some key server dump once a week or
so. But that's rather complicated, and doesn't really scale, and I'm
not sure if there any other sources besides this one:
<https://pgp.key-server.io/dump/current/README.txt>
Is there a source for key server data which provides incremental
updates without an explicit peering setup?
More information about the cryptography
mailing list