keyserver spam

MFPA expires2011 at
Sun Dec 18 23:40:57 CET 2011

Hash: SHA512


On Saturday 17 December 2011 at 4:58:28 PM, in
<mid:4EECCA34.9050809 at>, Jerome Baum wrote:

> On 2011-12-17 17:04, MFPA wrote:
>> On Saturday 17 December 2011 at 3:25:56 PM, in
>> <mid:4EECB484.6080701 at>, Jerome Baum wrote:
>>> I doubt the validity of those automated checks and
>>> checks on the email anyway. What constitutes "owning"
>>> foo at

>> As far as that server's checking is concerned, being
>> able to receive the email they send out to that
>> address and respond to it or click a link.

> Okay so we're assuming that "ownership" means being
> able to read mail there. Given an attacker that cannot
> read mail for foo at, if that attacker uploads
> a key with UID foo at, what value does this
> verification have?

Unless somebody visits the link in the verification email, the key
will not be added to the PGP Global Directory.

> If I don't verify the key, and send
> an encrypted email to foo at, the attacker
> presumably cannot read the message anyway.

Nor can the person who controls foo at but your email has
just provided the service of alerting them of the existence of the
attacker's key.

> For signing, well I don't usually care that "some
> person who was at a point or currently is able to
> receive or intercept emails sent to foo at
> signed this message", I usually care that "John Smith
> signed it". But let's assume I care whether something
> really originated with a person that was or is able to
> read email to foo at, how is this more useful
> than just emailing them to confirm?

Convenience. *If* you trust the signature from the server that says they
verified the email address for you, you don't need to do it yourself.

> i.e. IMO emails on UIDs are bullshit.

I would rather use hashes in UIDs, so that if you have my name or
email address you can locate my key but inspecting my key does not
give you my identity or contact details.

> So are
> certification policies that say (or don't say but
> enforce anyway) that you must have an email on your
> UID. Why refuse to certify _less_ information?

Why indeed. My government won't issue a passport that doesn't include
my date of birth. These days I can't even get a driving licence that
doesn't show my date of birth. What does a date of birth have to do
with my competence to drive between now and my licence's expiry date,
or with my ability to travel across borders?

- --
Best regards

MFPA                    mailto:expires2011 at

If you can't convince them, confuse them.


More information about the Gnupg-users mailing list