[Cryptography] Privacy-enhanced OpenPGP

Florian Weimer fw at deneb.enyo.de
Thu Sep 29 03:31:38 EDT 2016

OpenPGP for use in email was (deliberately?) designed in such a way
that key servers obtain a pretty accurate picture of who is talking to
whom: Ideally, before encrypting a message or checking a signature,
you should reach out to a key server to see if a revocation has been
uploaded since the last use of the key.

Even if you do not perform automated key updates, when you have to
reply to an encrypted message from a new sender, you still need to
contact the key servers because OpenPGP-encrypted messages do not
include the public key of the sender.

(This privacy leak even made it into a Dan Brown novel, but I forgot
which one.)

Is there software which can do something about this?  I could run a
key server locally and download some key server dump once a week or
so.  But that's rather complicated, and doesn't really scale, and I'm
not sure if there any other sources besides this one:


Is there a source for key server data which provides incremental
updates without an explicit peering setup?

More information about the cryptography mailing list