[OT] Re: useless test keys and keyservers

Erwan David erwan at rail.eu.org
Tue Mar 1 20:10:06 CET 2005


Le Tue  1/03/2005, David Shaw disait
> > 
> > There are 2 keys on keyservers which bear my name, but which I do not
> > own. Worse they are signed by several keys bearing the name of people
> > who know me, but those keys do not belong to them either.
> 
> This reminds me of something that happened back in the PGP 2 days.
> The web of trust was a lot smaller than it is today, and someone took
> it upon themselves to duplicate it by making all the keys themselves,
> and recreating the various inter-key links to match the real web.

Here someone created keys with name and addresses of all regular
participant to a french speaking computer security newsgroup. And
cross)signed them before sending them to keyservers...

> > However, if checks are done carefullly, nobody can trace those keys to
> > me through a sensible chain of signatures, leading to a personnally
> > verified key ownership.
> 
> Yes.

But ther is a weak point : if someone signs without carefully checking,
those keys can be linked back to the real web of trust. Let's hope suche
a person will not be trusted more marginally by anybody, but I have
little hope in commen knowledge about the importance of key signing,
even if there was no catastroph since 1998 when keys were uploaded...


-- 
Erwan



More information about the Gnupg-users mailing list