PGP Global Directory
Jason Harris
jharris at widomaker.com
Mon Dec 13 20:23:17 CET 2004
On Sun, Dec 12, 2004 at 06:36:34PM -0600, Stewart V. Wright wrote:
> G'day Neil,
>
> * Neil Williams <linux at codehelp.co.uk> [041212 06:30]:
> > Rumour:
> > Keys uploaded to the new keyserver result in an email to the main email
> > address of the key to see if the email address in the key actually exists and
> > is functional and, if so, the key is signed by PGP's Global Directory
> > Verification Key.
>
> Well, in my experience this is probably the stupidest keyserver (or
> coders?) on the net.
>
> I received an email asking me to verify a key that has been revoked!
Even worse, since the "challenges" aren't encrypted to the [Open]PGP
key being "verified," they aren't even verifying that the keys can be
used for "opportune encryption." (Has anyone tried registering a
signing-only key with this PGP.com keyserver yet? :)
RobotCA, http://www.toehold.com/robotca/ , encrypts its "challenges"
to GPG's choice of encryption [sub]key for the [pub]key, so a
decrypted, published signature from RobotCA means the key was useful
for encryption when and as it was submitted to RobotCA and for
subsequent decryption by a/the keyholder.
http://www.biglumber.com/ doesn't issue signatures but should be able
to support HKP-style key lookups for keys it verifies (by emailing an
encrypted "challenge" at signup) fairly easily.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20041213/ee84afa0/attachment.bin
More information about the Gnupg-users
mailing list