[liberationtech] PGP WOT
Florian Weimer
fw at deneb.enyo.de
Sun Mar 23 13:29:24 PDT 2014
* Jonathan Wilkes:
> If I were so inclined couldn't I periodically query every
> publicly accessable PGP keyserver (maybe do it in a distributed
> manner) and upload a new key with the same name/email address as what
> was added since the last time I checked?
Yes, key servers generally do not try to build a web of trust, so they
cannot weed out bad keys. This is supposed to happen on the clients,
but the UI for that is generally poor, and obviously this doesn't
scale in the face of a concerted attack.
More information about the liberationtech
mailing list