The reasons to put PGP to rest keep piling up.
Quote Tweet
The PGP (SKS) net server network is under attack, and it seems pretty damn bad. gist.github.com/rjhansen/67ab9
Show this thread
1
9
Conversation
Replying to
Keyservers is IMHO definitely the foremost & worst. Phil's concept had tightly controlled community or corporate keyservers. All GUI pgp versions from 1996 Have had this until nowadays. Set "owner trust" is a classification scale for recipients of information e.g.
2
The keyring design and trust model are an issue as a whole. The keyservers are only one part of that problem and wouldn't be nearly as much of an issue if GPG itself wasn't horribly broken. GPG breaks on adversarial input without keyservers too when manually importing the keys.
1
The fact that it's trivial to break your entire keyring by importing a key is the fault of the GPG design and implementation, not keyservers. There's also a huge amount of attack surface for exploitation, so there are scarier possibilities than just a denial of service like this.