Semi-off-topic - Netiquette ?

Gordon Worley redbird@rbisland.cx
Tue Jul 17 16:09:02 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 9:24 AM -0400 7/17/01, Ben Paul Wise wrote:

> Is it better to put your public key on a public key server, or
> to put it on a personal website?
Depends on a couple of things. For one thing, it depends on how easily your Web site can be defaced. For example, I'm fairly confident that having the key for the Mac GPG project posted to the same Web site is a safe means of redistributing the key because from what I can tell Sourceforge has pretty secure servers. Just to be safe, though, I reupload the page with the key on it on a regular basis. On my personal Web site, hosted at mac.com, I'm less confident, since I do not believe Apple has their site locked down the way Sourceforge does. Both places a reasonable for posting my public key, though. Public key servers are pretty safe, AFAIK. I always use MIT's because it's been around for a good while and is pretty trustworthy. I can't think of any successful attacks on key servers off the top of my head, but I'm sure there have been at least a few but hopefully the key servers have taken care of it. Of course, even if the key server is okay, the key being sent could be changed out from under you on the way (especially if you connect through a proxy server, which I recommend you not do when accessing a key server). So, the final word is that both are good means of distributing your public key, but what really matters is the web of trust and making sure that the key is good before you use it. I know many people do not do this properly, which often has me worried about how good the web of trust really is. When it comes down to it, if you're in a position where having the good key is vitally important (as in if you encrypt to the wrong key it's not a matter of someone else knowing what you ate for dinner last night, but where you could loose money, life, suffer pain, etc.), pay a few cents to make a phone call and verify the key with the real person (of course, if you've read the latest CRYPTO-GRAM, you know the phone network will soon become unsuitable for this task). Oh, and I always put my key ID in my sig since it let's other know that I use PGP makes it easy to get my key. Once they've got a key, a number of things will let them know if they got the right one. - -- Gordon Worley `When I use a word,' Humpty Dumpty http://homepage.mac.com/redbird/ said, `it means just what I choose redbird@rbisland.cx it to mean--neither more nor less.' PGP: 0xBBD3B003 --Lewis Carroll -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO1RGmW7zd/e707ADEQKtFwCfYZfp/ypNiHFBJrIkdv8YdfQzljoAoM7n YLRPYFdbV87DvafPzkxfNYai =4vsN -----END PGP SIGNATURE-----