[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of ideas for PGP-based programs



At 10:26 PM 1/8/96 +1100, Jiri Baum wrote:

>> 2)  I would like to see a program like private Idaho have the ability to send
>> mail to the key server and grab all of the "unknown signator" keys.
>...
>
>This is very easy, at least in Unix: pgp -kvv, grep, cut, for.
>
>In DOS, you can do pgp -kvv and find, then edlin to change
>every "sig" into "call getkey", call the resulting (batch) file,
>which will call GETKEY.BAT for every missing key. I hope.

This is about what I do now.  I am writing a perl program that splits the
requests up into seperate mail messages and dumps them out to the mail
program dujour.

>However, I don't see much of a point to it: these are people you don't
>even know the keys of; how are you going to know whether they are
>trustworthy? (The Web-o-Trust can only tell you who they are, not
>whether to trust them.)

True, but I hate seeing keys with 40 signatures on it and all of them read
"Unknown Signator".  (I am expecting someone to use "Unknown Signator" or
"Key revoked" as a nym any day now.)

>...
>> This would
>> have the interesting effect of building a more complete keyring, while using 
>> the "web of trust" to weed out alot of the bogus keys that tend to crop up on
>> the key servers.  After n number of itenerations you would have more of the
>> "important keys" and the ones that have little or no signage would be left to
>...
>
>No, you wouldn't. You would tend to have the keys that sign a lot
>of other keys, which would include both SLED (Four-11) and a lot
>of careless people that sign every key in sight.

Very good point!  I was actually talking about the "incredibly bogus keys
that stopped living and take up valuable keyserver space".  Keys with names
like "Wow! This is neat! I think I will create 3-4 keys a day!!!!!".  (I
actually wound up retrieving a key like this.  They are pretty annoying...)

>How about, instead:
>
>3) A way to retrieve all the keys signed by a given entity.
>
>This would have the effect that when you come to trust Alice, you
>can simply go and get all the keys she signed. I believe the present
>keyservers don't allow that... (Or else I don't know how to ask for it.)

I like that idea alot!  That way you can retrieve keys signed by people you
trust.  (Would this be the "Web of Guilt by Association"?)  It might have a
downside or two...  (Privacy for key signers?  Job seekers denied a job
because they signed the key of a known member of the four horsemen? "Are you
or have you ever been a key signer for Tim May or one of his Tentacles?")

Alan Olsen -- [email protected] -- Contract Web Design & Instruction
        `finger -l [email protected]` for PGP 2.6.2 key 
              http://www.teleport.com/~alano/ 
"Governments are potholes on the Information Superhighway." - Not TCMay