Several questions as feedback on gnupg

Werner Koch wk@gnupg.org
Thu Jan 24 10:42:01 2002 

On Wed, 23 Jan 2002 16:45:10 +0100, Loic Bernable said:

> - I've been told the different running keyservers do not support the
>   deletion of an uid. Do anyone can confirm this point ? Where can I
>   found the latest version of keyserver software used at this time ?

This is for several reasons not possible - the only thhing a keyserver
could do is to delete expired or revoked secondary encryption-only
keys.  But this is mainly a performance issue.

> - Are you aware of legal restrictions in some countries concerning the
>   setup of a public keyserver ?

Don't know.

> - I've read somewhere that some french people asked Werner to contact
>   french administration (SCSSI) to legalize the use of GnuPG in France.
>   There should be no theoretical problem, as PGP had been validated
>   lastly. Is that true, Werner ? Did you have the time to get

Yes, but I don't speak French too well ;-) It would be better if a
French company does this.  What about Mandrake, they are distributing
it.

> - I realized during a demonstration that no authentication is needed
>   when modifying the trust values, and in particular assigning a higher
>   trust value. Can't it be a problem ? If someone change the trust

Someone else has already answered this.

> - A friend of mine pointed out the problem that may occur with persons
>   who have a common name and surname. Let's suppose your name is "John Doe
>   jd@yahoo.com". Now, imagine there is another John Doe, that generates

The question of Identity is far more complicated than the technical
issues.   I agree that it would be better to probe the email address
but unless there are no good tools for automating this task it is a
lot of work.  I usually don't do this but compare the name with a
passport and check that the email address is plausible.

Ian Jackson once posted his scripts to automate the task of a personal
PGP CA; one might want to base a new tool on this.  Such a tool should
be able to cope with:

  - sign-only keys which are used by a couple of folks as a kind of
    high security key.

  - keys stored offline which require the transport of the requests
    and replies via floppy

>   clear enough ? :o) This can still be a problem ... Maybe one day we
>   will have a thumbprint analysis tool that would complete our public

Biometric don't help here; they are only usable with strong physical
protected systems.  And you certainly don't want to leave a
fingerprint in a public database - there are too many ways to abuse
such a database.

  Werner

-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus