Use of public key servers

Atom 'Smasher' atom-gpg at suspicious.org
Fri Apr 9 05:03:42 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> 1) You can't prove a key from the public key server is really that
> persons public key, you still have to validate it some way. So you can
> get the key personally from that person in some way and at that time
> validate the key. Instead of using the key even thought it might not be his.
======================================

if me and you know and trust each other, we can sign each others keys
(after properly validating them).

from then on, if i download a key from a key-server that's signed by you,
i can reasonably assume that the key belongs to the person who claims to
own that key: if you download a key that's signed by me, you can
reasonably assume the same.

getting around that requires forging a signature, which is generally
considered to be infeasible.

type "web of trust" into your favorite search engine.


> 2) It allows evil people get to get data from the public key servers and
> do malicious things with it (Such as spammers with email addresses, or
> possibly know a username for a account on some server that hosts the email.)
======================================

the only information they would get is an email address, user name,
comment, and *public* key information....

* email address: there has been no evidence of spammers harvesting email
from key servers. it might seem like a hot target, but it's really not.
in any case, install a spam filter.

* user name: this is (typically) the user name associated with that
address, so there are easier ways to find out that i'm "Atom Smasher".

* comment: this optional field can include anything you want, but some
common sense will tell you what not to put in it (like a password, or
social security number {in the US}).

* public key: a big part of public key cryptography depends on making the
public key widely available. if you can gain information about one's
private key by having access to their public key, we'd all like to know
about it.


	...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
 -------------------------------------------------

	"[The] feminist agenda is not about equal rights for women.
	 It is about a socialist, anti-family political movement that
	 encourages women to leave their husbands, kill their
	 children, practice witchcraft, destroy capitalism and become
	 lesbians."
               -- Rev. Pat Robertson, 1992
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -  http://atom.smasher.org/links/#digital_signatures

iD8DBQFAdhKSnCgLvz19QeMRAgmoAJ4mELCCqcCNTOZsyMSGcdk/kX7TzwCeK/af
4dX6Ii1zrkR7W/WPyGiWJTY=
=U9GD
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list