Mikel Mastodon

⚠️ PGP: Der langsame Tod des Web of Trust

📌 Die neue Version von GnuPG soll die Auswirkungen des Signatur-Spams einschränken. Deshalb ignoriert es ab sofort alle Signaturen der importierten Schlüssel.

#PGP #Verschlüsselung #WebofTrust #GnuPG #Signatur-Spams #Signaturen #Schlüssel #heise_de

https://www.heise.de/security/artikel/PGP-Der-langsame-Tod-des-Web-of-Trust-4467052.html

PGP: Der langsame Tod des Web of Trust

Die neue Version von GnuPG soll die Auswirkungen des Signatur-Spams einschränken. Deshalb ignoriert es ab sofort alle Signaturen der importierten Schlüssel.

Jul 10, 2019 at 9:10pmWeb
Show threadWiktor KwapisiewiczJul 11, 2019

Web of Trust never really worked for the general public but there are some circles that really use it, for example kernel.org requires developers to cross sign their key [0], Gentoo uses one authority key to authorize developers.

[0]: https://old.lwn.net/Articles/461236/

Current changes in GnuPG just reflect the status-quo: for majority of keys only self-signatures are important (and imported). For limited circles where OpenPGP matters third-party signatures still work if keys are fetched using Web Key Directory protocol (kernel.org [1], Gentoo, Debian already do that).

[1]: https://www.kernel.org/category/signatures.html#using-the-web-key-directory

kernel.org status: establishing a PGP web of trust [LWN.net]