Follow

The hardest part of using PGP, key management, doesn't scale well in large organizations. We solved this problem at First Look Media (where there are over 200 PGP users) with GPG Sync. We maintain a keylist, and everyone subscribes to it, so everyone has the latest public key for everyone else.

I'm excited to announce that we've submitted a draft RFC that will turn GPG Sync into an internet standard!

Check this out: tech.firstlook.media/keylist-r

Β· Web Β· 6 Β· 111 Β· 144

GPG Sync is a program you install on your computer and can subscribe to keylists. It calls out to `gpg` to import all of the keys on your keylists on a regular basis.

I'm excited about keylists being an internet standard so that OpenPGP software that doesn't use GnuPG can support it too, like OpenKeychain on Android, or Mailvelope, or anything built on the new Sequoia-PGP rust library.

Also, it'd be awesome if GPG Tools, Enigmail, etc. allowed you to subscribe to keylists directly.

Here's the text of the draft RFC if you're interested in how it works or want to get involved:
tools.ietf.org/html/draft-mcca

Big thanks to @rmrm who actually wrote the RFC and did most of the work as his FLM intern project. Nat Welch and I helped a little too :).

@bob not alone, because keylists are just lists of fingerprints. It still relies on keyservers to fetch the public keys.

But it will be completely compatible with whatever replacement for keyservers gets built in the future.

@micahflee You could have just had one key for the organization that signs all other keys and mark this as fully trusted. When you then enable the WoT mode, they will all be trusted because they're signed.

@js this is recommended as part of the RFC, and also what we do at FLM. It makes it so we can have an internal web of trust that scales linearly as opposed to exponentially (keysigning parties).

However it doesn't make it so everyone has everyone else's correct public key. If there's a new remote employee I haven't talked to you and I need to write them an email, with GPG Sync I can just write them an encrypted email and not think about it. Otherwise I'd have to first go find their key

@micahflee I see. So the problem you're solving is not so much that of trust, but making sure to always have all public keys readily available. Makes sense.

@js yup. And if someone revokes their old key and switches to a new one, everyone else doesn't even have to be aware of it, they keep emailing and it just works. Or if someone's key expires and they update the expiration date, everyone else doesn't need to manually refresh that key.

The idea is to remove the complexity and hassle of key management from *everyone* to like one or two PGP nerds who like this stuff.

@micahflee
Friends of mine are just starting fluidkeys.com/, might be interesting to you...

@symroe this looks interesting and totally related to GPG Sync. I'll check it out

Sign in to participate in the conversation
Mastodon

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!