New approaches to PGP key servers

I’ve been a long time fan of PGP encryption and played around with it. If you want to send me something encrypted, you can find my key here. As encryption is slowly moving from a geek/paranoid hobby into the mainstream, it is interesting to see how different people and organizations are trying to make PGP easier to use.

Two nice initiatives relating to how to distribute you public PGP key are the Mailvelope keyserver and Max Stoiber‘s pgp.asc.

The approach of pgp.asc is to “Decentralize public PGP keys” by letting everyone upload their public PGP key named pgp.asc to the root of their website (which should run https). The idea behind this is that only you would be able to upload to your own web server and this “absolutely guarantees authenticity”. It also makes it easier to update or delete your public key, since you have full access to it. The main drawback is that not everyone has their own website and still fewer have https enabled (although this will hopefully change thanks to Let’s Encrypt and the like).

Mailvelope is a browser extension (for Chrome and Firefox) “that enables the exchange of encrypted emails following the OpenPGP encryption standard”. Since a lot (most?) users main e-mail is Gmail or another web mail, integrating PGP with that is a major use case. Although there are reasons to be weary about generating or storing a private PGP key in the browser, the ease of use will hopefully help the broader adoption of PGP.

Mailvelope also launched their own key server which is HKP Compatible and as such can be used just like any other key server. The interesting part is that instead of using the classic Web of Trust approach (Why not use Web of Trust?) they send an encrypted verification mail to the e-mail address in your key when you try to upload it. This is in line with how Let’s Encrypt automatically verifies instead of relying on manual verification, which makes a lot of sense.

Exciting times for PGP and encryption in general!

Leave a Reply