Re: [Sks-devel] The pool is shrinking

[stuff]

On Fri, 16 Aug 2019 09:12:30 -0600
Ryan Hunt <address@hidden> wrote:

> Yakamo,
> it still does its job of ensuring published keys are not tampered with, it
> was not designed to be resilient to denial attacks.. That does not
> interfere with the trust of PGP, its why there are local keystores.. and
> the SKS network is still around despite being unreliable/broken from a
> maintenance standpoint.. your poisoned keys are not altering other
> individuals keys in any way/shape/form, so its security has not been
> compromised.. availability of keyservers is not critical to the use of PGP,
> again by design.. there are many ways to distribute keys, it is resilient
> factually despite your opinions.. over the decades the need has not been
> lost.
>

That's correct its not designed to be resilient to denial attacks, making it 
unreliable as stated before! which means its not resilient to governments at 
all! This statement stands true. Now it barely fulfils its basic functions! the 
amount of posts littered over the internet about how people cant pull a key 
from the servers or unable to upload them. There are constant outages!

There are alternatives and they work! sks doesn't!

Its not the design or the attacks that's for me personally and others 
distrustful its the, closed minded approach to how vulnerabilities are handled, 
both people from the GnuPG community and SKS have attacked people for what's 
considered normal practice when it comes to disclosure of vulnerabilities and 
bugs. "stay quiet and hope nothing happens" or "your attacking us because you 
pointed out something wrong with our software" is not a good way to deal with 
things!

Also do you think its good Mr Hunt that data can be uploaded onto these servers 
such as peoples personal information without consent? This has happened to a 
lot of people. And yet no one is interested in addressing this!

> You could not be more wrong about GnuPG, and it shows.. do you even work in
> the industry? Because where I sit, with over 54 million devices on my
> network.. PGP is one of the most trusted security tools we use, all of our
> software is signed by PGP, config files are signed by PGP, internal
> correspondence signed by PGP.. You are the only person in the world
> claiming GnuPG has lost its trust and you can write all the blog posts you
> want but your opinion means nothing to me, and the rest of the industry..
> Snowden and all the other security industry's rock stars still fully
> advocate the use of PGP despite your feeble attacks.

Are we really comparing "network" size?

I didn't say it was not in demand or general use in the security community! or 
unpopular!
Although I come across very few people who actually use it these days and who 
are not middle aged. Even FreeBSD stopped using it who knows how long ago for 
signing packages.

Like wise your opinion holds no value to me either.


> So to answer your questions:
> 1. Currently, its the only option until something better comes along.

Keybase and Hagrid or self hosting your gpg key, plenty of options.

> 2. There are absolutely none, but you seem to be beyond reason on this
> point so I digress.

There's plenty why you claim none im not sure, maybe we should test this theory 
of yours?

> 3. This is entirely arbitrary, not everyone has to share your perspective..
> Most of the industry rallied against the GDPR, if anything the EU/Australia
> has become the laughing stock of the cryptography world.. you guys would
> give up master keys and implement backdoors to your government in exchange
> for a cookie and a pat on the back.

Of course big company's rallied against the GDPR, it gives users their privacy 
back again!
This messes with their business model!

And are you against the GDPR?
Do you even know what the GDPR covers?

what has Australia got to do with this?

and where are you from Mr Hunt? America?

Kind Regards

Yakamo


--