PGP

Active keys

I am actively using the following PGP key with the given fingerprint and underlined key ID¹:

• 70DFCCD3 8612499C D3CAB2F8 8F1B1A17 C006790E

My previous key from 2011 was:

• A3D92FF7 785D43C8 F2C19BA2 CDD89BE5 0973919E

Publications of keys

You can directly obtain a snapshot (2024-07-20) of my keys here from my website, with all the signatures included:

• 70DFCCD38612499CD3CAB2F88F1B1A17C006790E.asc

The signatures are relevant when using the web of trust as a trust model. Note that there is no central authority for PGP, like for the centralized trust model of X.509 certificates.

Keyservers. Alternatively, you can go to one of the many PGP keyservers and search for all keys containing my UID or for my specific key:

• shuber@sthu.org on keys.openpgp.org
• 0x70DFCCD38612499CD3CAB2F88F1B1A17C006790E on keyserver.ubuntu.com
• 0x70DFCCD38612499CD3CAB2F88F1B1A17C006790E on keys.mailvelope.com

However, you should really check the fingerprint when you download the key from a keyserver! Do not only check the short (8-digit) key IDs, because it is easy to maliciously create multiple keys with colliding short IDs, and it has happened in practice.

SKS versus keys.openpgp.org. SKS keyservers suffer from multiple problems that have been known in theory for a long time and became reality in recent years. Besides intentionally creating keys with colliding short IDs, there are certificate flooding attacks resp. certificate spamming attacks that can break your GnuPG installation. Consequently, keyservers needed to be treated with care back in the year 2019.

In June 2019, keys.openpgp.org launched a keyserver that requires e-mail verification for submitted keys to resolve the problems mentioned above. However, as part of the solution this keyserver removes (third-party) signatures and therefore effectively prunes the web of trust. However, they may come back at some point by requiring cross-signatures. Also, this service cannot be part of the SKS pool for the same reasons. And only one key is stored per e-mail address.

Web Key Directory. GnuPG 2.1.12 and later implements the so-called web key directory (WKD) mechanism, which is also facilitated by --auto-key-retrieve to retrieve the PGP key via HTTPS from a webserver. The following code snippet illustrates the idea:

$ gpg --with-wkd-hash --fingerprint 8F1B1A17C006790E
[…]
7tkem583p5g7n37f65zguxukc8br5szt@sthu.org
[…]

$ wget "https://openpgpkey.sthu.org/.well-known/openpgpkey/sthu.org/hu/7tkem583p5g7n37f65zguxukc8br5szt"

WKD is supported by Thunderbird/Enigmail, KMail, Outlook/GpgOL, Browsers/Mailvelope, K9Mail/OpenKeyChain and some more. It is also provided by some mail providers like Posteo, Protonmail, mailbox.org, mail.de and others.