[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pgp keys



At 11:55 AM 4/4/96 -0500, Jack P. Starrantino   [email protected] wrote:
>Is there a reliable method for obtaining the pgp public key for an
>arbitrary email address? [....] to obtain keys I do not have.

Reliable?  No; not everybody follows The One True KeyDistribution Method,
or even follows one-or-more of the popular electronic approaches, 
and not all keys that are distributed electronically are on the Internet,
though some of them may be on intranets or fido or uucp nets.

There's also the problem that the results are not unique.  If you look
at the MIT keyserver, http://www-swiss.ai.mit.edu/~bal/pks-toplev.html,
in the cluttered "Bill Stewart" namespace, you'll find several Bill Stewarts,
and you'll find many people have multiple keys for each email address,
especially after they've been in the servers a few years.

>I've caught some of the discussion on key servers, and noted some
>people's use of their signature, plan, or home page to distribute their
>keys.  Are some combination of these suitable today? 

There's a collection of keyservers that stay in sync with each other,
including the ones at pgp.mit.edu.  bal's http interface is a popular
way to access them, though there are others communications methods as well.
Some other people use finger; finger's really just a telnet to port 79
while sending a requested name and holding the connection up to wait for
replies,
but not everybody uses that either, and many host systems don't serve finger.
My work PGP address is available on my company's internal phone-book web,
and printed on my business cards, though I have now put it on MIT's server.

>Is there a parseable convention in use for extracting keys from
mail/finger/html?
Sure - the standard ASCII form that PGP extracts keys in is parseable by PGP.
(You have to be careful, when obtaining keys by mail/finger/html, that if you
get multiple keys, you do something appropriate, like split them up first.)
Unfortunately, Real PGP likes to ask you interactively if you want to add
the keys it found to a keyring, or whatever, but you could just feed it
some "Y"s on stdin to keep it happy.  The new PGP 3.0 stuff will have libraries
so it's much easier to build clean routines to do this rather than interact.

>My goal is to make encryption the default behavior on outgoing mail. I
>am not concerned about local security.

Good luck!  You'll probably have to prompt the user at least for
disambiguation, and possibly for methods for finding keys as well.