Several questions as feedback on gnupg

Loic Bernable leto@vilya.org
Wed Jan 23 16:47:02 2002 

--5vNYLRcllDrimb99
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all

As I had lastly several opportunities to introduce people on GnuPG, they
asked me several questions, and I will try to reproduce them as
literally as I can. I also have several questions on my own that I will
join.


- I've been told the different running keyservers do not support the
  deletion of an uid. Do anyone can confirm this point ? Where can I
  found the latest version of keyserver software used at this time ?

- Are you aware of legal restrictions in some countries concerning the
  setup of a public keyserver ?

- I've read somewhere that some french people asked Werner to contact
  french administration (SCSSI) to legalize the use of GnuPG in France.
  There should be no theoretical problem, as PGP had been validated
  lastly. Is that true, Werner ? Did you have the time to get
  information on this topic ?=20

- I realized during a demonstration that no authentication is needed
  when modifying the trust values, and in particular assigning a higher
  trust value. Can't it be a problem ? If someone change the trust value
  of his (or another) key that was in "no trust" mode, and set it as
  "full trust", I will trust the signed keys without being warned i use
  this key ; with this configuration, I should know what are the keys I=20
  trust and so not rely on the othentications made by the software ...

- A friend of mine pointed out the problem that may occur with persons
  who have a common name and surname. Let's suppose your name is "John Doe
  jd@yahoo.com". Now, imagine there is another John Doe, that generates
  a GnuPG key with *your* email address. If someone meets the latest,
  they could check his ID or driving license or whatsoever, but finally
  there would be no way for him to know it is *not* the John Doe related
  to the "jd@yahoo.com" address, and worse, John "Charlie" Doe's key
  would be legitimately signed by the third person, not yours. Is that
  clear enough ? :o) This can still be a problem ... Maybe one day we
  will have a thumbprint analysis tool that would complete our public
  key recording ?


Maybe some of those points have been discussed below on this list, my
reading of it is quite cahotic. Please forgive me in this case.


Thank you for your reading and/or for the answers ...


PS : if some people planned to come to the french Linux-Expo next week,
I will be pleased to share fingerprints with them !

--=20
### Lo=EFc Bernable aka Leto -- leto@vilya.org -- Parinux, April, LinuxFR #=
##
Please don't develop non-free software.
  -- RMS

--5vNYLRcllDrimb99
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8TtqGX1807qC7PesRArRhAJwMpvJ2HLs8X/i3x73gVBn/CXOC8gCgj431
rq4cf1fKf8FFSokXTi+CYJI=
=0AHK
-----END PGP SIGNATURE-----

--5vNYLRcllDrimb99--