Semi-off-topic - Netiquette ?

Gordon Worley redbird@rbisland.cx
Tue Jul 17 16:09:02 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 9:24 AM -0400 7/17/01, Ben Paul Wise wrote:

>	Is it better to put your public key on a public key server, or

>	to put it on a personal website?


Depends on a couple of things.  For one thing, it depends on how 
easily your Web site can be defaced.  For example, I'm fairly 
confident that having the key for the Mac GPG project posted to the 
same Web site is a safe means of redistributing the key because from 
what I can tell Sourceforge has pretty secure servers.  Just to be 
safe, though, I reupload the page with the key on it on a regular 
basis.  On my personal Web site, hosted at mac.com, I'm less 
confident, since I do not believe Apple has their site locked down 
the way Sourceforge does.  Both places a reasonable for posting my 
public key, though.

Public key servers are pretty safe, AFAIK.  I always use MIT's 
because it's been around for a good while and is pretty trustworthy. 
I can't think of any successful attacks on key servers off the top of 
my head, but I'm sure there have been at least a few but hopefully 
the key servers have taken care of it.  Of course, even if the key 
server is okay, the key being sent could be changed out from under 
you on the way (especially if you connect through a proxy server, 
which I recommend you not do when accessing a key server).

So, the final word is that both are good means of distributing your 
public key, but what really matters is the web of trust and making 
sure that the key is good before you use it.  I know many people do 
not do this properly, which often has me worried about how good the 
web of trust really is.  When it comes down to it, if you're in a 
position where having the good key is vitally important (as in if you 
encrypt to the wrong key it's not a matter of someone else knowing 
what you ate for dinner last night, but where you could loose money, 
life, suffer pain, etc.), pay a few cents to make a phone call and 
verify the key with the real person (of course, if you've read the 
latest CRYPTO-GRAM, you know the phone network will soon become 
unsuitable for this task).

Oh, and I always put my key ID in my sig since it let's other know 
that I use PGP makes it easy to get my key.  Once they've got a key, 
a number of things will let them know if they got the right one.
- -- 
Gordon Worley                     `When I use a word,' Humpty Dumpty
http://homepage.mac.com/redbird/   said, `it means just what I choose
redbird@rbisland.cx                it to mean--neither more nor less.'
PGP:  0xBBD3B003                                  --Lewis Carroll

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO1RGmW7zd/e707ADEQKtFwCfYZfp/ypNiHFBJrIkdv8YdfQzljoAoM7n
YLRPYFdbV87DvafPzkxfNYai
=4vsN
-----END PGP SIGNATURE-----