Pretty Good Privacy was committed to making good encryption available to everyone. The used crypto was revolutinary at the time. But one of the big problems with public key encryption persisted: How do I get the right key from the person I don’t know?

Web of Trust

The Web of Trust was intended for this exact purpose but only ever worked in a small community of PGP enthusiasts. The promise of “encryption for the masses” could never be kept. The inflationary signing of keys causes serious problems and is, therefore, removed in GnuPG in version 2.2.17. By default this version is ignoring all signatures coming from a key server.

The basis of the Web of Trust is that “no two people are more than six degrees apart”. Everybody knows everyone. If you authenticate the key of your acquaintances, you’ll eventually reach a state where you can trust the key of person X that came from a central key server. Alter all, the sister of your uncles friend confirmed that the key actually belongs to X and wasn’t placed there by some malicious actor.

Anyone can sign any key and upload the signed version to the keyserver - in theory only after verifying its authenticity. To prevent state actors from forcing key server operators to replace real keys with fake ones, the Synchronizing Key Server (SKS) was designed in such a way that no key or signatures can be deleted. This, however, enabled a range of abuse scenarios. Currently, unknown people load keys onto keyservers again and again, which carry hundreds of thousands of signatures. Read the crisis communication by Robert J. Hansen.

Whoever imports such a key will stall their PGP installation. There is currently no known fix on the side of the SKS servers. Other options to rescue PGP had to be found.

“We’ve known for a decade this attack is possible. It’s now here and it’s devastating” rjh

The end of key signatures

In a direct response, GnuPG from version 2.2.17 added a new option self-sign-only, which is now a default option. It ensures that only the key servers own signatures are retained when a key is imported. The spam signatures and also those of the sister of your uncles friend - are no longer imported into the local keychain. This doesn’t affect manually imported keys.

This solves the signature spam problem for GPG users. But it comes with a hefty price tag. You no longer have any indication as to whether the imported key from a server is real or not. This problem is real because anyone can upload a key for any identity to the key servers.

OpenPGP enthusiasts introduced a new keyserver a few weeks ago. It verifies the e-mail address given in the key and only publishes it after successful verification. As things currently stand, there are a lot of arguments for using keys.openpgp.org instead of the SKS servers.

a picture showing a mailbox

The future

The Web of Trust is practically dead and can be considered a failure. The question arises on how the trust in PGP keys can be restored. Some people argue the community should look at messengers like Signal and Threema. They provide a convenient way of key verification and do not require any user actions or signatures. Those services provide basic trust in the genuineness of the delivered keys.