[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP public key servers are NOT useful!

To: Amnesia Anonymous Remailer <[email protected]>
Subject: Re: PGP public key servers are NOT useful!
From: "Omegaman" <[email protected]>
Date: Thu, 8 Aug 1996 14:19:43 +0000
CC: [email protected]
Comments: Authenticated sender is <[email protected]>
Priority: normal
Reply-to: [email protected]
Sender: [email protected]


> What I want to prevent is some person I dislike uploading his
> signature on my key

Yes, that's unpreventable.  It still does not change the fact that it 
is up to the person using your public key to determine if you are 
indeed that actual owner of that key.
 
> How would you like it if I added a new ID to your key containing sort
> of insult, certified that ID, and uploaded the new signature to the
> key servers.

RTFM.  Look, go into PGP and try to change your key ID.  You will 
note that PGP asks you to provide the passphrase to your secret key 
before allowing an id change.  Someone could not get your public key 
off of a keyserver and change the id of the key.  The need both your 
secret key and your passphrase to do that.

Now someone could create a key-pair themselves and  falsely assign 
your e-mail address and some miscellaneous crap as the ID.  They 
could then upload the"rogue" public key portion of this keypair to 
the servers.

However, the falsity of this "rogue" public key can be easily 
determined by you and anyone who is trying to communicate securely 
with you.  All of this is explained with great clarity in the PGP 
documentation.

Think about this...
Suppose I knew who you were and knew your e-mail address.  What's to 
stop me from creating a "rogue" key-pair with your address as the 
e-mail id and uploading it to the keyservers?  Just because you don't 
utilize the keyservers, doesn't mean your public key can't be placed 
there.  "Controlling" the distribution of your public key is giving 
you a false sense of security where none is really needed.

Ponder: why is a public key called a "public" key?

"Controlling" the distribution of you public key is a pointless 
exercise.  Controlling authentication is what you and those who 
communicate securely with you whould be concerned about.

me
--------------------------------------------------------------
 Omegaman <[email protected]>
 PGP Key fingerprint =  6D 31 C3 00 77 8C D1 C2  
                        59 0A 01 E3 AF 81 94 63 
Send a message with the text "get key" in the 
"Subject:" field to get a copy of my public key.
--------------------------------------------------------------

Prev by Date: Edited Edupage, 1-Aug-1996
Next by Date: Re: appropriate algorithm for application
Prev by thread: Re: PGP public key servers are NOT useful!
Next by thread: Thank you.
Index(es):
- Date
- Thread