the revault key sharing server provides a simple means to a user to share their public key with another revault user.
The problem is that the key server does nothing to verify the user.
The gold standard for establishing trust for a public key is by communicating the key via two separate channels.
The problem is that this needs to be two channels that have some authority:
e.g. a corporate website and a phone call.
The key sharing server allows keys to be shared anonymously so essentially it looks like it has some trust (because it is part of revault) but in fact it provides no authority. This seems problematic because it might allow a hacker to convince a user that they were communicating via two separate form so communications each of which provided some authority.
the revault key sharing server provides a simple means to a user to share their public key with another revault user.
The problem is that the key server does nothing to verify the user.
The gold standard for establishing trust for a public key is by communicating the key via two separate channels.
The problem is that this needs to be two channels that have some authority:
e.g. a corporate website and a phone call.
The key sharing server allows keys to be shared anonymously so essentially it looks like it has some trust (because it is part of revault) but in fact it provides no authority. This seems problematic because it might allow a hacker to convince a user that they were communicating via two separate form so communications each of which provided some authority.