Question about fingerprints and keys uploaded to keyservers
David Shaw
dshaw at jabberwocky.com
Sun Feb 22 13:27:51 CET 2004
On Sun, Feb 22, 2004 at 04:00:53AM -0500, gabriel rosenkoetter wrote:
> On Sat, Feb 21, 2004 at 11:49:27PM -0500, David Shaw wrote:
> > I wonder if the fact that PKS and the keyserver.net server have
> > several identical bugs says something about the genealogy of
> > keyserver.net. PKS has been somewhat fixed at this point, but
> > keyserver.net hasn't. I think(?) the PKS licence allows for this, but
> > it's interesting anyway.
>
> I think that the keyserver.net folks' (purposeful or accidental)
> secrecy is so pervasive is a bit more interesting. And, even if
> their keyserver weren't broken, would be reason enough to not want
> to use them. One thing that we can be pretty sure of at this point
> is that secrecy of a few[1] doesn't aid strong cryptography.
>
> Have you ever actually had contact with "Highware Inc" or with
> Sebastian Lemmens of Brussels, Brabant 1060? Have you tried calling
> them? (The whois record lists several phone numbers and fax numbers.)
No, I didn't try that hard. I mailed them about the bug (and giving
them the fix) a few times back in 2002, but that's about it. No
responses, so I just didn't bother to pursue it. There is only one
Veridis keyserver out there, and if it's broken - well, eventually,
market forces are darwinian. It's a shame they are running a broken
server on the good keyserver.net domain name, though.
I'm not too worried about security implications of a broken keyserver.
It's annoying, to be sure, but it's really a denial of service attack
rather than any exploitation of OpenPGP itself.
Frankly, I don't know how new users of OpenPGP discover keyserver.net
in the first place. Google? Some HOWTO document that mentions it?
David
More information about the Gnupg-users
mailing list