blog | ~bdeshi

tilde adventures wanderings.

Where's your gpg key?

February 12, 2020 — ~bdeshi

so gpg keys are the standard methods of identity and a common encryption method on the opensource world and elsewhere. its logically and mathematically sound, and dependable as long as you know the source of the key. so like any good oss citizen, i also have gpg keys of my own, and dutifully put them online on various keyservers.

the web-of-trust model of key trustworthyness sound very good: i trust you, i trust your key, so anyone who trusts me also trusts your key. so people sign each others' keys with my signature, and then anyone who finds those keys knows if it can be trusted by looking at who else had signed it.

but the infrastructure is apparently almost childish. there was a widepsread attack vandalism in the recent past that basically destroyed usability of gpg keyservers.

it goes like this: someone adds a huge number of signatures to public keys, which blows up the the key size, and then reuploads it to keyservers. which makes client software crash when trying to import those giant keyfiles.

i've discovered a new keyserver which tries to mitigate that problem: they make sure the email ids on uploaded keys can be verified, so just anyone can't upload random keys with your email id.

it's sensible. so i uploaded my key there.

also, meanwhile i found one of my older expired keys hanging around on a keyserver like nothing happened while i'd actually revoked it months ago. then deleted the revocation certificate. without uploading it on that particular server. so now that key has become immortal in one place.

by the way, my tilde GPG key is here: bdeshi.pubkey.asc

oh and i'm also on keybase, which wants to be a gpg-based social network!

Tags: gpg, identity, encryption