GnuPG with virtual servers

David Shaw
Fri Feb 22 16:16:01 2002

On Fri, Feb 22, 2002 at 06:07:07AM -0800, Tom Bellucco wrote:
> My web site is hosted on a server that hosts many web
> sites.  I've contacted the administrator and asked him
> to imput my public key into the PHP user's key ring
> but he's concerned about any security implications
> seeing that multiple sites are hosted from this one
> server.  He seems to be most concerned with the
> instruction to "fully trust."  I'm trying to get him
> to set this up so I can secure data on some forms I
> use on the site that are e-mailed in the PHP script.
> Are there any issues he should be concerned with here?

Clearly there is no danger to you - after all, it's your *public* key.
No harm there.

Offhand, it sounds like the administrator is worried that someone may
abuse the trusted status of your key - say, if they can inject a key
signed by yours into the keyring, then the injected key could gain
trust.  This is true, but it is also true that anybody who manages to
get access to the machine to add a key to it could do pretty much
anything they wanted to do anyway.

Could you post exactly what you were asking the administrator to do?
I don't see any real risks here, but perhaps I do not fully understand
his concerns.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson