PGP Global Directory

Neil Williams linux at codehelp.co.uk
Sun Dec 12 13:14:39 CET 2004


On Thursday 09 December 2004 1:28 pm, David Shaw wrote:
> Hi Folks,
>
> I figured I'd forestall the obvious question about the new keyserver
> that the PGP company announced this morning:

Where can I find out some facts about this signing keyserver protocol? I've 
heard some rumours of what it's doing to 'verify' the uploaded key but what's 
the truth?

Rumour:
Keys uploaded to the new keyserver result in an email to the main email 
address of the key to see if the email address in the key actually exists and 
is functional and, if so, the key is signed by PGP's Global Directory 
Verification Key.

Problem:
If that is truly all that happens, it's all but useless. All it's doing is 
sifting out dead keys - it is migrating all the keys on current pgp 
keyservers. 

From the FAQ: Every six months, everyone with an active key is now going to 
receive an email from PGP. Great, thanks. If you don't reply, your key will 
be deleted from the Global Directory. 

Somehow, I see a lot of active keys being wrongly marked as dead simply 
because of the email process.

If the message is encrypted to the key it might be something but IMHO this is 
BAD keysigning practice. There is no face-to-face fingerprint verification, 
no photo ID verification. 

Does it deal with subkeys?
Does it deal with photos?

It would take a lot more before I'd trust any signatures made by the PGP 
keyserver key.

There are some of these automated signing keys around already and I never 
trust them. Without verification of the physical person behind the key, what 
is the point?

I've tried the PGP Global Directory FAQ but it is thin on detail.

http://download.pgp.com/products/pdfs/PGP-Global_Directory_Whats-New_041206_F.pdf
Although don't expect a lot more than is already in HTML here:
http://www.pgp.com/downloads/beta/globaldirectory/

I've got no problem with the removal of dead keys from keyservers, but what 
bothers me is WHY they choose to sign the key rather than simply delete ones 
that can't be verified. When the signature is untrustworthy, why sign at all?

Simply because it purports to be 'from PGP' is not good enough.

-- 

Neil Williams
=============
http://www.dclug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20041212/78080440/attachment-0001.bin


More information about the Gnupg-users mailing list