PGP Global Directory
Neil Williams
linux at codehelp.co.uk
Sun Dec 12 13:14:39 CET 2004
On Thursday 09 December 2004 1:28 pm, David Shaw wrote:
> Hi Folks,
>
> I figured I'd forestall the obvious question about the new keyserver
> that the PGP company announced this morning:
Where can I find out some facts about this signing keyserver protocol? I've
heard some rumours of what it's doing to 'verify' the uploaded key but what's
the truth?
Rumour:
Keys uploaded to the new keyserver result in an email to the main email
address of the key to see if the email address in the key actually exists and
is functional and, if so, the key is signed by PGP's Global Directory
Verification Key.
Problem:
If that is truly all that happens, it's all but useless. All it's doing is
sifting out dead keys - it is migrating all the keys on current pgp
keyservers.
From the FAQ: Every six months, everyone with an active key is now going to
receive an email from PGP. Great, thanks. If you don't reply, your key will
be deleted from the Global Directory.
Somehow, I see a lot of active keys being wrongly marked as dead simply
because of the email process.
If the message is encrypted to the key it might be something but IMHO this is
BAD keysigning practice. There is no face-to-face fingerprint verification,
no photo ID verification.
Does it deal with subkeys?
Does it deal with photos?
It would take a lot more before I'd trust any signatures made by the PGP
keyserver key.
There are some of these automated signing keys around already and I never
trust them. Without verification of the physical person behind the key, what
is the point?
I've tried the PGP Global Directory FAQ but it is thin on detail.
http://download.pgp.com/products/pdfs/PGP-Global_Directory_Whats-New_041206_F.pdf
Although don't expect a lot more than is already in HTML here:
http://www.pgp.com/downloads/beta/globaldirectory/
I've got no problem with the removal of dead keys from keyservers, but what
bothers me is WHY they choose to sign the key rather than simply delete ones
that can't be verified. When the signature is untrustworthy, why sign at all?
Simply because it purports to be 'from PGP' is not good enough.
--
Neil Williams
=============
http://www.dclug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20041212/78080440/attachment-0001.bin
More information about the Gnupg-users
mailing list