PGP Updates, Web Key Directory

Since I last wrote about PGP and keyservers, several things have happened.

The SKS keyservers have been attacked with excess keys. It was clear this could happen, and now it has. Interestingly the data on the servers are large enough to render gpg unusable. Keys can’t be deleted from SKS servers, by design, so it seems people are now officially giving up on this kind of keyserver. Good.

Web Key Directory” has been introduced. Basically this is publishing your key on your website in a standardised location. GnuPG will then fetch it. There is some more to it, allowing for multiple addresses and looking up keys on other servers, but that is the basic idea. There is also a system for managing the key directory by email.

I put my key in a WKD a few weeks ago. I thought I was wasting my time but I actually got an email encrypted with my key which was fetched from there! The sender used Thunderbird which did this automatically without them knowing. I could tell WKD was used from my web server logs, which also made clear a disadvantage of this protocol - I could see the senders IP address and likely location. Using tor would be a good idea for fetching keys.

Another newer system is Autocrypt. It’s a system for distributing keys in email headers, and various other stuff to do with key management and user interface I think. The website is not immediately clear about what it does.

Also, in 2018 a new set of branded exploits came out - Efail. These exploit bugs in PGP, S/MIME, and email clients to recover plaintext. This is nothing to do with keyservers, but illustrates yet another problem with trying to secure email, and to bolt on security to a system which was never designed for it.

Further info on the keyserver attack.

A good guide to setting up a web key directory