From 20cb78e6531af701d47cb627abd570b0413f2aac Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 30 Jul 2017 13:59:34 +0100 Subject: [PATCH] keyserver description --- doc/EN/app_keyserver.org | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/EN/app_keyserver.org b/doc/EN/app_keyserver.org index 2ce332d8..15971684 100644 --- a/doc/EN/app_keyserver.org +++ b/doc/EN/app_keyserver.org @@ -20,7 +20,9 @@ [[file:images/keyserver.jpg]] #+END_CENTER -The usual way in which you obtain GPG public keys for email encryption or other purposes is via a key server. There are a few common ones out there, but it's also possible to run your own key server. +The /web of trust/ is a nice idea, but how trustable is it? If you take a look at how many OpenPGP key servers are out there then there are a two or three main ones and not much else. Can you trust those servers? Who is maintaining them and how often? Is any censorship going on? How hard would they be for adversaries to implant? In terms of technology this infrastructure is quite old and it could have been neglected for a long time. Once vigilant maintainers might have turned lazy and gotten lax with server security, or been recruited over to the dark side. + +For these kinds of reasons you might prefer to run your own web of trust infrastructure. In simple terms it's a database of GPG public keys which provides a way for users to /find out how to communicate with others securely via email/. You can meet in person and exchange public keys via sneakernet on USB drives, but most users of GPG don't do that. Instead they just download the public key for a given email address from one of the key servers. * Installation