PGP Global Directory

David Shaw dshaw at jabberwocky.com
Tue Dec 14 22:57:46 CET 2004


On Mon, Dec 13, 2004 at 02:23:17PM -0500, Jason Harris wrote:
> On Sun, Dec 12, 2004 at 06:36:34PM -0600, Stewart V. Wright wrote:
> > G'day Neil,
> > 
> > * Neil Williams <linux at codehelp.co.uk> [041212 06:30]:
> > > Rumour:
> > > Keys uploaded to the new keyserver result in an email to the main email 
> > > address of the key to see if the email address in the key actually exists and 
> > > is functional and, if so, the key is signed by PGP's Global Directory 
> > > Verification Key.
> > 
> > Well, in my experience this is probably the stupidest keyserver (or 
> > coders?) on the net.
> > 
> > I received an email asking me to verify a key that has been revoked!
> 
> Even worse, since the "challenges" aren't encrypted to the [Open]PGP
> key being "verified," they aren't even verifying that the keys can be
> used for "opportune encryption."  (Has anyone tried registering a
> signing-only key with this PGP.com keyserver yet?  :)

It should "just plain work" since, as you say, the GD isn't encrypting
the mails.

I think the target audience for the GD is rather different than many
of the people who hang out on this list.  The target audience needs a
way to get keys, with as little pain as possible, and with some amount
of assurance that the key is the right one.

Their definition of "some amount of assurance" and yours or mine is
going to be fairly different, to say the least.  The thing that
pleases me about the GD is that the design can be used by the beginner
or the advanced user.  The beginner can trust the GD key.  The
advanced user does not have to, and still gets the benefits of the
server.

David



More information about the Gnupg-users mailing list