[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

signatures and keyservers (was Re: Apache, mod_auth_pam, pam_krb4, and you)



On Mon, Jul 09, 2001 at 01:23:29PM -0600, Hubert Chan wrote:

> PS. If you're going to PGP-sign your messages, you might want to upload
> your key to a server, so that we can check the sig.

At this late date, I'm a little confused as to what the benefit of key
servers are, and I'm even a little bit confused why people PGP / GnuPG
sign their mail to mailing lists. As you will no doubt notice, I've
gone along with common practice and created a GnuPG key for use with
mailing lists and other low-trust / low-threat environments. I'm just
not sure why.

Let me explain.

It seems to me that the use of signatures on these lists is to prove
an association between a user and an e-mail address, i.e. "yes, this
e-mail actually comes from the From: address specified in the header".
No more, no less. Unless you know me or have some other stake in
knowing that said mail is from where it says it is, this information
is of little use to you. Furthermore, even if you do care, there's
nothing stopping determined attackers from inserting keys that
misrepresent themselves into the key server -- unless you as a
recipient decide to verify the fingerprint of my key. Since that step
must be accomplished anyway, how much of an additional hassle is it to
ask me for my key in the first place?

Of course, this would be a different story if the web of trust were in
more common usage, but it's not, outside of debian-maintainers and
some small klatches of die-hard cypherpunks, some of whom are too
paranoid to admit who they know anyway.

Sorry for the off-topicness, but you pushed one of my buttons, Hubert.

Forrest L Norvell,
GnuPG key available upon request ;)

-- 
       . . . the self-reflecting image of a narcotized mind . . .
ozymandias G desiderata     ogd@aoaioxxysz.net     desperate, deathless
(415)558-9064        http://www.aoaioxxysz.com/          ::AOAIOXXYSZ::

Attachment: pgpg5Cwmk5kP3.pgp
Description: PGP signature


Reply to: