In Defense of Validating Keyservers

There is a concern that validating keyservers will lead to centralization in the PGP ecosystem, which will be detrimental to the goals of PGP. Centralization is something that should draw scrutiny because it carries particular disadvantages. However, there are times when a centralized (or partially centralized) system can provide benefits that are worth the risks, particularly when the risks can be mitigated.

Validating keyservers provide a unique benefit to a person in my situation - that is, someone who uses PGP in order to provide confidence in message integrity but does not have the robust social network required to provide evidence of identity through web of trust logic (particularly as a digital-only social network cannot be used for web of trust logic).

The concern is that a validating keyserver presents itself as authoritative, which means that it trends towards centralization. This is not entirely untrue but the open nature of the PGP protocol avoids, the most problematic aspects of centralization. A validating keyserver can be compared to certificate authorities used for authenticating web servers. There are certainly problems with centralization on the modern web but they do not stem from the use of certificate authorities. It is notable that some people (mainly those maintaining corporate environments) set up their own CAs for internal use, proving that the centralization of CAs does not enforce social relations that some people might not consent to.

Validating keyservers and web of trust logic are complementary tools. A validating keyserver provides an additional piece of evidence which is useful even if the key has a robust set of signatures. I provided the openpgp keyserver with a signature from my previous key but when I downloaded the new key the signature was not present. I find this disappointing. It would be preferable if all keyservers provided both web of trust and email validation services.