Use of public key servers

Anthony E. Greene agreene at pobox.com
Fri Apr 9 05:15:01 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08-Apr-2004/21:04 -0500, Russell Valentine <russ at coldstonelabs.org> wrote:
>I've posted my public key on a public key server a while ago. A friend 
>of mind was trying to explain to me that public key servers are useless 
>and bad. His arguments where:
>
>1) You can't prove a key from the public key server is really that 
>persons public key, you still have to validate it some way. So you can 
>get the key personally from that person in some way and at that time 
>validate the key. Instead of using the key even thought it might not be his.

That only matters if you really need to know that a certain key really
belongs to a certain person.

If I only need to communicate securely with russ at coldstonelabs.org, I
don't necessarily care whether the key I use actually belongs to a real
world person named Russell Valentine. For example, if you wish to
continue this discussion off-list, do you really care whether 0x6C94239D
belongs to Anthony E. Greene, or do you just need to know that you can use
it to send a secure message to agreene at pobox.com?

Keyservers make casual use of cryptography between strangers easier. They
are not intended to solve the Web-of-Trust problem.

>2) It allows evil people get to get data from the public key servers and 
>do malicious things with it (Such as spammers with email addresses, or 
>possibly know a username for a account on some server that hosts the email.)

There are much easier ways to get email addresses (which also implies much
easier ways to get usernames). In the early days of PGP, cryptography was
so geeky and spam so against the prevailing attitude, that spammers would
have been inviting retaliation by targeting PGP users. These days there
are too many easy/cheap/fast ways to get hundreds of thousands of email
addresses to worry about harvesting keyservers.


Tony
- -- 
Anthony E. Greene <mailto:Anthony%20E.%20Greene%20%3Cagreene at pobox.com%3E>
AOL/Yahoo Messenger: TonyG05    HomePage: <http://www.pobox.com/~agreene/>
OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26  C484 A42A 60DD 6C94 239D
Linux. The choice of a GNU generation <http://www.linux.org/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Anthony E. Greene <mailto:agreene at pobox.com> 0x6C94239D

iD8DBQFAdhUvpCpg3WyUI50RArD6AJ4llE5VwNFC4MWlkENOI6lo/WeENACcClhm
gsAE1fWY+mkSXZzP1G5992Y=
=WhHB
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list