[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Senator Leahy, your public key please?



Senator Leahy is the first member of Congress to publicize a PGP key.
(There are already fake keys for Bill and Hillary Clinton and Al Gore.)
A Washington-area Cypherpunk recently visited Senator Leahy's office
and asked if he could verify that the PGP key posted to the net for
Senator Leahy was correct*, so he could sign it; while it would be
difficult to fake responses to the "PGP Public Key" entry on his web page,
it could be done, and a fake key could be publicized in other ways.
He was told that there's some Congressional silliness about the issue -
what's the political implication of having someone sign your key?
[email protected] is fine, but are there ethics questions if 
ACT UP, Big Oil or the Christian Coalition signs it, or if Newt Gingrich
or your party's Majority Leader refuses to sign it - are those endorsements?

Tim May pointed out that you don't _need_ anybody's permission to sign
their key; just do it and send to the keyserver.  Even if they don't like you.
>What if, for example, Sen. Leahy _did_ end up in the web of trust for Aryan
>Nation?  Even if he never intended it, this could have some severe PR
>repercussions.
>An exciting new world we're entering.

It's really hard to get handed a straight line like this and have to 
pass it up, but I'm _not_ going to create an Aryan Nations key,
and I'm _not_ going to send it to [email protected].

Black Unicorn's experience at Senator Leahy's office implies there
are too many clueless Congresscritters around who would recognize
the political potential and make a Law to Do Something about it,
just as Georgia recently made a law against making links to people's
web sites without their permission.  While the Republicans in Congress,
having somehow found themselves on the side of Free Speech with Leahy 
against Clinton's administration, may be able to pass laws reducing the 
government's encryption-export and wiretapping efforts, a good scare 
like this could make it more difficult.  Sigh.  :-)
I haven't Cc:d this to Leahy - Should I?

Meanwhile, what should we do about PGP key signatures?  
PGP 3.x is still being developed, and keyservers can be updates as needed.  
While I agree that keyservers don't need to validate keys - that's a
job for the web of trust, and the keyserver-admin could sign keys
if he/she/it wanted to - it may make sense for the keyservers to only 
accept keys in messages signed by the key itself.  (Just signing the key
doesn't help much here; you need to sign the key-plus-signatures.)
Does it make sense to include some similar capability in PGP itself?

Leahy has at least signed his own key...
#					Thanks;  Bill
# Bill Stewart, [email protected], +1-415-442-2215
# goodtimes signature virus innoculation