Default GPG keyservers

Not sure we can blame them?

For example https://keys.openpgp.org / new, fixed keyserver - keys.openpgp.org (not in this forum thread) only people with access to my e-mail address / the whonix.org domain name can upload. They’re using verification codes sent by e-mail. Not perfect, not against advanced adversaries but stopping most spam. Since it wasn’t done, they cannot be blamed.

Dunno how key upload works for key servers mentioned in this forum thread, how it would be resolved if a malicious key was uploaded and one wanted to replace it with a legitimate one etc.

I’d wait what kind of default emerges in Debian or similar or what gains traction. Until then, no default key server and users can opt-in to use one.

1 Like