Semi-off-topic - Netiquette ?
Gordon Worley
redbird@rbisland.cx
Tue Jul 17 16:09:02 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 9:24 AM -0400 7/17/01, Ben Paul Wise wrote:
> Is it better to put your public key on a public key server, or
> to put it on a personal website?
Depends on a couple of things. For one thing, it depends on how
easily your Web site can be defaced. For example, I'm fairly
confident that having the key for the Mac GPG project posted to the
same Web site is a safe means of redistributing the key because from
what I can tell Sourceforge has pretty secure servers. Just to be
safe, though, I reupload the page with the key on it on a regular
basis. On my personal Web site, hosted at mac.com, I'm less
confident, since I do not believe Apple has their site locked down
the way Sourceforge does. Both places a reasonable for posting my
public key, though.
Public key servers are pretty safe, AFAIK. I always use MIT's
because it's been around for a good while and is pretty trustworthy.
I can't think of any successful attacks on key servers off the top of
my head, but I'm sure there have been at least a few but hopefully
the key servers have taken care of it. Of course, even if the key
server is okay, the key being sent could be changed out from under
you on the way (especially if you connect through a proxy server,
which I recommend you not do when accessing a key server).
So, the final word is that both are good means of distributing your
public key, but what really matters is the web of trust and making
sure that the key is good before you use it. I know many people do
not do this properly, which often has me worried about how good the
web of trust really is. When it comes down to it, if you're in a
position where having the good key is vitally important (as in if you
encrypt to the wrong key it's not a matter of someone else knowing
what you ate for dinner last night, but where you could loose money,
life, suffer pain, etc.), pay a few cents to make a phone call and
verify the key with the real person (of course, if you've read the
latest CRYPTO-GRAM, you know the phone network will soon become
unsuitable for this task).
Oh, and I always put my key ID in my sig since it let's other know
that I use PGP makes it easy to get my key. Once they've got a key,
a number of things will let them know if they got the right one.
- --
Gordon Worley `When I use a word,' Humpty Dumpty
http://homepage.mac.com/redbird/ said, `it means just what I choose
redbird@rbisland.cx it to mean--neither more nor less.'
PGP: 0xBBD3B003 --Lewis Carroll
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBO1RGmW7zd/e707ADEQKtFwCfYZfp/ypNiHFBJrIkdv8YdfQzljoAoM7n
YLRPYFdbV87DvafPzkxfNYai
=4vsN
-----END PGP SIGNATURE-----