USPs of pgp.asc compared to other approaches of distributing PGP keys

[JamborJan]

Note: I'm not trolling around

I want to understand better the goals of this project. Yes, I understand what decentralize means and I also understand issues with centralized key servers and verification that a certain key belongs to an actual human being.

There are some other approaches to solve common issues like https://keybase.io/.

What are your concerns with an approach like e.g. https://keybase.io/ and how do you think your approach might solve it?

Thanks! JJ

[iamwebrocker]

hi, jj (the following is my personal motiviation, i am not writing on behalf of the project :) ) to me, the idea of using the public key as a kind of asset in an environment that for the most parts i have under control - without the need to login/check with a remote service is attractive. plus, like a robots.txt or humans.txt, having this file stored in a location where it is easy discoverable plus the option to refer to it via link rel=pgpkey or a href rel=pgpkey, and so maybe enabling additional functions for 'smart' (email) links - I like the idea. basically it's a low-tech way to promote your public key. due to the work here and the reading of tutorials and links and suggestions i am aware now however, that a great advantage of key servers is currently left out of 'our' little picture here: the signage of public keys by other people. if my key is located on my webspace, people can and hopefully will find, download and use the key, but I have no way of telling if someone has signed my key. and i'd have to maintain/upload my local copy of the key again in case someone sends me the signed key back. as @mstoiber wrote, maybe this initiative can and will get deeper into the topic, but maybe first we need to get to the not-so-technically users, and for this a 'hey all you need to do upload the file to your own server' first contact seems like a good idea, esp if we then have more and deeper info also on the topic for those who want to get serious. let me know what you think, thx tom

[anselmh]

First, it’s all about personal opinions here so no worries, every kind question is considered as constructive. :)

I personally use keychain servers and would also recommend to use such servers. For example, the solution here can only apply to people who have their own domain. The normal user will never use our solution and doesn’t need to.

For me, this project is an aim to provide more diversity on the choices how to make your PGP chain available to the public. People who don’t use keychain servers, can’t use or simply don’t want to use them, can use our approach that may be a standard then.

And if PGP integrations start to support both options: Searching for a key on the keychainservers and making a request to search for a key based on the domain in the email address, I’d say my personal goal is achieved.

[mxstbr]

Searching for a key on the keychainservers and making a request to search for a key based on the domain in the email address, I’d say my personal goal is achieved.

:+1: I agree wholeheartedly. For me, the project is not meant as a replacement to all the existing options, but as another option.

and so maybe enabling additional functions for 'smart' (email) links

That's one of my other goals, if we get some adoption with this project we might be able to use that as a leverage for e-mail programs. My dream is that I click your mailto: link and then write an encrypted message without me searching for your key anywhere. I hope that's going to happen...

@JamborJan do you feel we answered you question? Then I'll close the Issue. :smiley_cat:

[mxstbr]

No further comment, so I'm closing the issue.