Bogus Key on Keyservers
Tad Marko
tad at tadland.net
Sun Oct 16 22:25:50 CEST 2005
On Sun, Oct 16, 2005 at 06:09:27PM +0100, Nicholas Cole wrote:
>
> --- Tad Marko <tad at tadland.net> wrote:
> > An email verification step?
>
>
> The problem is, that IF the email infrastructure was
> secure enough to be trusted, there would be no need
> for pgp/gpg/smime at all. An email verification step
> is not, and cannot be, 100% secure.
>
> Of course, in many cases, email is not re-routed,
> server admins can be trusted, email systems are not
> broken in to - to the extent that email without
> additional security is largely trusted as "good
> enough".
>
> But, in fact, if someone is willing to forge a key
> with your name on, it is probably one of those times
> that email may well not be "good enough". Hence the
> need to rely on key fingerprints, not on the email
> system.
>
> Best,
>
> Nicholas
Right, which is the reason for the continued need to let people know
your key signature via a trusted means. But, if someone was wanting to
hassle you by creating scads of bogus keys on keyservers, it still
makes it that much more difficult for people to obtain the correct
key.
If someone were more sophisticated, as you suggest, it seems that it
is even more imperative for someone to be able to get the bogus keys
out of view.
Tad
More information about the Gnupg-users
mailing list