sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] The pool is shrinking

From: Ryan Hunt
Subject: Re: [Sks-devel] The pool is shrinking
Date: Fri, 16 Aug 2019 11:42:31 -0600
SKS is still resilient to anyone wiping out all references to my public key and replacing with their own for a man in the middle attack, you can go check multiple servers and compare keys against each other.. I can check keys in my local keystore or transmitted via other means against whats in SKS, its also resilient to keys being removed to prevent verifying data signed long ago.. none of that has changed, you can attack the whole network but its integrity is still intact when it comes back up.. 

Its role as a decentralized, tamper resistant key storage solution is still vital, and I would love it if we had the development going on to address the stability issues, but thats simply not the case at this point in time and until the actual integrity of the data the SKS network serves is compromised there is no need for its death.. yes there are alternatives, but those wont force enforcement of your precious GDPR, I can host all the same keys any way I want and ignore all your requests for removal just the same so your argument attacking SKS specifically is moot.

> Also do you think its good Mr Hunt that data can be uploaded onto these servers such as peoples personal information without consent? This has happened to a lot of people. And yet no one is interested in addressing this!
I've proposed solutions to simply add more sanity/validation checks to make sure keys are actual valid keys and limiting the overall size of keys to prevent abuse, but overall I'm not terribly concerned.. there's a billion places to make information public on the internet that is entirely out of reach of your local authorities, SKS is rather ineffective means of making information public since practically nobody is looking at the dataset as a whole and are only querying information directly, and almost always automated.. You are basically Gaslighting at this point.

> And are you against the GDPR?
Correct, the GDPR would be ruled unconstitutional in a heartbeat if someone tried to implement it here.

> Do you even know what the GDPR covers?
Yes, quite well.. I unfortunately work with many forms of Digital Compliance in my industry.

> what has Australia got to do with this?
Just another example of the road to hell is paved with good intentions.. Its a slippery slope you guys are already sliding down.. I can only think of one operator that was forced to shut down for being liable for data others posted publicly, and that was an Australian operator.. long before the GDPR was drafted.. and nothing was accomplished, the data they tried to take out of the public sphere still exists.. again SKS worked as designed, the government was unable to stop the distribution of that data.. and its still accessible, even within Australia. 

> and where are you from Mr Hunt? America?
Yes, Colorado to be precise if you need to figure out what court to waste your time with.

> There's plenty why you claim none im not sure, maybe we should test this theory of yours?
Go for it, I am completely willing to face any government and the resulting consequences to protect the integrity and availability of public cryptography, if my government were to ever insist on compromising it again in the future I would make it my mission to distribute the tools and spread awareness despite any legal ramifications or any moral perspective, yeah I might be assisting terrorists, child abusers, and other boogiemen; but thats the price of cryptographically secure communications. The EU can bring it on for all I care, this is a hill I'm fully prepared to die on, and have been for a while.. I advocated for and distributed the tools 30 years ago when strong crypto was illegal to export from the United States, and eventually we won that battle of attrition. 

-R



On Fri, Aug 16, 2019 at 10:12 AM <address@hidden> wrote:
On Fri, 16 Aug 2019 09:12:30 -0600
Ryan Hunt <address@hidden> wrote:

> Yakamo,
> it still does its job of ensuring published keys are not tampered with, it
> was not designed to be resilient to denial attacks.. That does not
> interfere with the trust of PGP, its why there are local keystores.. and
> the SKS network is still around despite being unreliable/broken from a
> maintenance standpoint.. your poisoned keys are not altering other
> individuals keys in any way/shape/form, so its security has not been
> compromised.. availability of keyservers is not critical to the use of PGP,
> again by design.. there are many ways to distribute keys, it is resilient
> factually despite your opinions.. over the decades the need has not been
> lost.
>

That's correct its not designed to be resilient to denial attacks, making it unreliable as stated before! which means its not resilient to governments at all! This statement stands true. Now it barely fulfils its basic functions! the amount of posts littered over the internet about how people cant pull a key from the servers or unable to upload them. There are constant outages!

There are alternatives and they work! sks doesn't!

Its not the design or the attacks that's for me personally and others distrustful its the, closed minded approach to how vulnerabilities are handled, both people from the GnuPG community and SKS have attacked people for what's considered normal practice when it comes to disclosure of vulnerabilities and bugs. "stay quiet and hope nothing happens" or "your attacking us because you pointed out something wrong with our software" is not a good way to deal with things!

Also do you think its good Mr Hunt that data can be uploaded onto these servers such as peoples personal information without consent? This has happened to a lot of people. And yet no one is interested in addressing this!

> You could not be more wrong about GnuPG, and it shows.. do you even work in
> the industry? Because where I sit, with over 54 million devices on my
> network.. PGP is one of the most trusted security tools we use, all of our
> software is signed by PGP, config files are signed by PGP, internal
> correspondence signed by PGP.. You are the only person in the world
> claiming GnuPG has lost its trust and you can write all the blog posts you
> want but your opinion means nothing to me, and the rest of the industry..
> Snowden and all the other security industry's rock stars still fully
> advocate the use of PGP despite your feeble attacks.

Are we really comparing "network" size?

I didn't say it was not in demand or general use in the security community! or unpopular!
Although I come across very few people who actually use it these days and who are not middle aged. Even FreeBSD stopped using it who knows how long ago for signing packages.

Like wise your opinion holds no value to me either.


> So to answer your questions:
> 1. Currently, its the only option until something better comes along.

Keybase and Hagrid or self hosting your gpg key, plenty of options.

> 2. There are absolutely none, but you seem to be beyond reason on this
> point so I digress.

There's plenty why you claim none im not sure, maybe we should test this theory of yours?

> 3. This is entirely arbitrary, not everyone has to share your perspective..
> Most of the industry rallied against the GDPR, if anything the EU/Australia
> has become the laughing stock of the cryptography world.. you guys would
> give up master keys and implement backdoors to your government in exchange
> for a cookie and a pat on the back.

Of course big company's rallied against the GDPR, it gives users their privacy back again!
This messes with their business model!

And are you against the GDPR?
Do you even know what the GDPR covers?

what has Australia got to do with this?

and where are you from Mr Hunt? America?

Kind Regards

Yakamo


--

reply via email to
[Prev in Thread] Current Thread [Next in Thread]