PGP's SKS infrastructure "was written in an obscure language by a PhD student for his thesis. And because of that, there is literally no one in the keyserver community who feels qualified to do a serious overhaul on the codebase"

· Mastodon Twitter Crossposter · 2 · 0 · 1

Interesting. I can't help there, but surely someone can?

@anomaly @volt4ire I think the real question is if it's even fixable as software or if there's structural change for the gpg community required

@volt4ire from an end-user standpoint, do we know what workflows this could impact?

Enigmail, sure (fix: disable SKS integration). OS updates, probably not (typically repo pubkeys are cached in /etc by the installer). Developers verifying signed commits, probably (for what minority of commits are signed, much less verified).

A resilient PKI is obviously important, I just don't have a good sense of the systemic risk posed by DoS via SKS.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!