Hacker News new | past | comments | ask | show | jobs | submit
upofadown | on: Removing PGP from PyPI (2023)
> Of those 1069 unique keys, about 30% of them were not discoverable on major public keyservers, making it difficult or impossible to meaningfully verify those signatures. Of the remaining 71%, nearly half of them were unable to be meaningfully verified at the time of the audit (2023-05-19).

A PGP keyserver provides no identity verification. It is simply a place to store keys. So I don't understand this statement. What is the ultimate goal here? I thought that things like this mostly provided a consistent identity for contributing entities with no requirement to know who the people behind the identities actually were in real life.

woodruffw | parent | next
You're thinking one step past the failure state here: the problem isn't that keyservers don't provide identity verification, but that the PGP key distribution ecosystem isn't effectively delivering keys anymore.

There are probably multiple reasons for this, but the two biggest ones are likely (1) that nobody knows how to upload keys to keyservers anymore, and (2) that keyservers don't gossip/share keys anymore, following the SKS network's implosion[1].

Or put another way: a necessary precondition of signature verification is key retrieval, whether or not trust in a given key identity (or claimant human identity) is established. One of PGP's historic strengths was that kind of key retrieval, and the data strongly suggests that that's no longer the case.

[1]: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d695...

loading story #41875432
ploxiln | parent
These keys could have related signatures from other keys, that some users or maintainers may have reason to trust.

(But for 30% of keys this was not even theoretically possible, while for another 40% of keys it was not practically possible, according to the article.)