Question about fingerprints and keys uploaded to keyservers

David Shaw dshaw at
Sun Feb 22 13:27:51 CET 2004

On Sun, Feb 22, 2004 at 04:00:53AM -0500, gabriel rosenkoetter wrote:
> On Sat, Feb 21, 2004 at 11:49:27PM -0500, David Shaw wrote:
> > I wonder if the fact that PKS and the server have
> > several identical bugs says something about the genealogy of
> >  PKS has been somewhat fixed at this point, but
> > hasn't.  I think(?) the PKS licence allows for this, but
> > it's interesting anyway.
> I think that the folks' (purposeful or accidental)
> secrecy is so pervasive is a bit more interesting. And, even if
> their keyserver weren't broken, would be reason enough to not want
> to use them. One thing that we can be pretty sure of at this point
> is that secrecy of a few[1] doesn't aid strong cryptography.
> Have you ever actually had contact with "Highware Inc" or with
> Sebastian Lemmens of Brussels, Brabant 1060? Have you tried calling
> them? (The whois record lists several phone numbers and fax numbers.)

No, I didn't try that hard.  I mailed them about the bug (and giving
them the fix) a few times back in 2002, but that's about it.  No
responses, so I just didn't bother to pursue it.  There is only one
Veridis keyserver out there, and if it's broken - well, eventually,
market forces are darwinian.  It's a shame they are running a broken
server on the good domain name, though.

I'm not too worried about security implications of a broken keyserver.
It's annoying, to be sure, but it's really a denial of service attack
rather than any exploitation of OpenPGP itself.

Frankly, I don't know how new users of OpenPGP discover
in the first place.  Google?  Some HOWTO document that mentions it?


More information about the Gnupg-users mailing list