keyserver spam

[MFPA]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 17 December 2011 at 4:58:28 PM, in
<mid:4EECCA34.9050809 at jeromebaum.com>, Jerome Baum wrote:


> On 2011-12-17 17:04, MFPA wrote:
>> On Saturday 17 December 2011 at 3:25:56 PM, in
>> <mid:4EECB484.6080701 at jeromebaum.com>, Jerome Baum wrote:
>>> I doubt the validity of those automated checks and
>>> checks on the email anyway. What constitutes "owning"
>>> foo at example.com?

>> As far as that server's checking is concerned, being
>> able to receive the email they send out to that
>> address and respond to it or click a link.

> Okay so we're assuming that "ownership" means being
> able to read mail there. Given an attacker that cannot
> read mail for foo at example.com, if that attacker uploads
> a key with UID foo at example.com, what value does this
> verification have?


Unless somebody visits the link in the verification email, the key
will not be added to the PGP Global Directory.



> If I don't verify the key, and send
> an encrypted email to foo at example.com, the attacker
> presumably cannot read the message anyway.

Nor can the person who controls foo at example.com but your email has
just provided the service of alerting them of the existence of the
attacker's key.



> For signing, well I don't usually care that "some
> person who was at a point or currently is able to
> receive or intercept emails sent to foo at example.com
> signed this message", I usually care that "John Smith
> signed it". But let's assume I care whether something
> really originated with a person that was or is able to
> read email to foo at example.com, how is this more useful
> than just emailing them to confirm?

Convenience. *If* you trust the signature from the server that says they
verified the email address for you, you don't need to do it yourself.



> i.e. IMO emails on UIDs are bullshit.

I would rather use hashes in UIDs, so that if you have my name or
email address you can locate my key but inspecting my key does not
give you my identity or contact details.



> So are
> certification policies that say (or don't say but
> enforce anyway) that you must have an email on your
> UID. Why refuse to certify _less_ information?

Why indeed. My government won't issue a passport that doesn't include
my date of birth. These days I can't even get a driving licence that
doesn't show my date of birth. What does a date of birth have to do
with my competence to drive between now and my licence's expiry date,
or with my ability to travel across borders?


- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

If you can't convince them, confuse them.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTu5sAaipC46tDG5pAQptawP+NWp3JRBG4zX2M1p+P1UyaaPV/7GQ8Zcg
e3fEdS7jqb6AewEpvpvjwI1mEAS935B4I0RpgBHZHpTFYvVUFJfg0wL6QP+b/qHy
45I/aKBu37qnlBxSMqd98eq8s0lNhcmJpcowUcW1nF1qkTA8nF5303VF5P3jnwLJ
nCJ4NR7tax0=
=sEfb
-----END PGP SIGNATURE-----