Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Do any of these keyservers perform email verification? It would go a good way towards some kind of verification that a user's GPG key corresponds to their email. Otherwise, anyone can generate a key with any email address and push it up to the servers. The standard way of verifying it (key-signing parties) is somewhat difficult.


To me a more useful model is the one implemented by keybase, where a number of proofs are provided, tying a specific key to the user's online identity (e.g. github profile/HN profile).

Many times I want to "communicate with the persion identified as X on site Y" and this allows that to occur.


I've seen keybase and 1) cannot understand it or 2) understand its use-case.

I don't associate online identities with my primary communications, generally.


FWIW, although everybody talks about their new chat system, key verification is one thing keybase.io does well.


Looking forward to the mobile client, which is only showed on blog post, already announced from a year or so, but never seen on the stores...


Making users assume that emails are in _any way_ verified is dangerous because it is far too low of a bar to provide any practical security for PGP keys. Not to mention that PGP keys can be used outside the context of email (so the email could be empty or otherwise incorrect).


Agreed. The keyservers are public posting boards. You are meant to verify that the key is sufficiently signed in a chain all the way to yourself before you trust it. Anything on the keyservers that makes people think the key has already been verified is a bad thing.


They don't because GPG is ancient, and there was no proper way to do email validation back then. It is sort of better now, but still very hard to do.

If you have realistic worries that someone can intercept your email, then email validation of your GPG keys is not going to help.


Keybase.io is the best solution that has been put forward to solve this problem.


Only https://keyserver.pgp.com performs email verification, the others don't.

See: https://lkml.org/lkml/2016/8/15/445


It seems that keyserver.pgp.com won't accept keys with revoked subkeys




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: