looking up pgp keys
Tim Prepscius
timprepscius at gmail.com
Mon Sep 16 00:46:56 CEST 2013
>> Malicious hacker replaces key with different key.
> You don't even need hackers. How do you prove when a key has changed on the
> keyservers (even if they were not compromised)?
Well the underlying theme is that everyone is responsible and in
charge of their own key.
The key servers are just as dumb as they are now, however there is an
understanding that the key server would only allow the mail-user to
change his key.
So Bob is responsible for checking his pub-key on "SuperMail
mail-server." where bob has an account. Bob does this regularly.
Bob's friends do this too, and they tell Bob if his key has changed.
SuperMail is responsible for *trying* to broadcast Bob's key as he has
set it, but it doesn't need to say this with any assurance, because
Bob would be checking. (as other people would be). Bob could check
through a variety of means, to possibly thwart a MITM attack.
If SuperMail is subverting Bob's key, then Bob would find out, and
make a public statement, in some sort of forum such as this one,
saying, "SuperMail is hacked."
If Bob's account on SuperMail has been hacked, then when Bob talks to
SuperMail accusing them of subverting his key, SuperMail would find
out that indeed Bob's key was changed, they would apologize and try to
fix whatever security hole there was.
Bob would then go on a forum such as this one saying, "SuperMail got hacked."
Or perhaps Bob's password is "boB" and SuperMail would tell bob, "look
, we see there were 1,000 password attempts on your account last week.
(which SuperMail should possibly have stopped). 1,000 should not
have been enough to break your password, your password is probably
really weak."
Mail servers which effectively broadcast keys would stick around, mail
servers which get hacked would die off.
Actually, I'm not even sure why there needs to be a PGP key server pool.
Perhaps I am missing something of great importance?
This happens to me often, so I am already prepared to be flabbergasted
by my own stupidity. Lol.
-tim
More information about the Gnupg-devel
mailing list