I'm certainly no crypto expert. And, sad to admit, I hadn't even heard of trollwot until today. Or keyserver-fs or sks-exploit. I have read about risks of key collision, but had the impression that faked keys wouldn't actually work.
So yes, I get the argument that Hansen should have warned people. But I gotta wonder who else has been aware of this vulnerability for years.
And I wonder how bad this could get. I can purge requests to SKS keyservers from my machines, but what about all the upstream impacts? As I understand it, GnuPG authentication is pervasive. And "ask SKS" may be almost as pervasive.
So yes, I get the argument that Hansen should have warned people. But I gotta wonder who else has been aware of this vulnerability for years.
And I wonder how bad this could get. I can purge requests to SKS keyservers from my machines, but what about all the upstream impacts? As I understand it, GnuPG authentication is pervasive. And "ask SKS" may be almost as pervasive.