PGP

I am actively using the following PGP key with the given fingerprint and underlined key ID¹:

• A3D92FF7 785D43C8 F2C19BA2 CDD89BE5 0973919E

You can directly obtain a snapshot (2020-10-11) of my keys here from my website, with all the signatures included:

• A3D92FF7785D43C8F2C19BA2CDD89BE50973919E.asc

The signatures are relevant when using the web of trust as a trust model. Note that there is no central authority for PGP, like for the centralized trust model of X.509 certificates.

Keyservers. Alternatively, you can go to one of the many PGP keyservers and search for all keys containing my UID or for my specific key:

• shuber@sthu.org on keys.openpgp.org
• shuber@sthu.org on hkps.pool.sks-keyservers.net
• 0xA3D92FF7785D43C8F2C19BA2CDD89BE50973919E on keyserver.ubuntu.com

However, you should really check the fingerprint when you download the key from a keyserver! Do not only check the short (8-digit) key IDs, because it is easy to maliciously create multiple keys with colliding short IDs, and it has happened in practice.

SKS versus keys.openpgp.org. SKS keyservers suffer from multiple problems that have been known in theory for a long time and became reality in recent years. Besides intentionally creating keys with colliding short IDs, there are certificate flooding attacks resp. certificate spamming attacks that can break your GnuPG installation. Consequently, keyservers need to be treated with care in these days.

In June 2019, keys.openpgp.org launched a keyserver that requires e-mail verification for submitted keys to resolve the problems mentioned above. However, as part of the solution this keyserver removes (third-party) signatures and therefore effectively prunes the web of trust. However, they may come back at some point by requiring cross-signatures. Also, this service cannot be part of the SKS pool for the same reasons. And only one key is stored per e-mail address.