At 11:55 AM 4/4/96 -0500, Jack P. Starrantino jpps@voicenet.com wrote:
Is there a reliable method for obtaining the pgp public key for an arbitrary email address? [....] to obtain keys I do not have.
Reliable? No; not everybody follows The One True KeyDistribution Method, or even follows one-or-more of the popular electronic approaches, and not all keys that are distributed electronically are on the Internet, though some of them may be on intranets or fido or uucp nets. There's also the problem that the results are not unique. If you look at the MIT keyserver, http://www-swiss.ai.mit.edu/~bal/pks-toplev.html, in the cluttered "Bill Stewart" namespace, you'll find several Bill Stewarts, and you'll find many people have multiple keys for each email address, especially after they've been in the servers a few years.
I've caught some of the discussion on key servers, and noted some people's use of their signature, plan, or home page to distribute their keys. Are some combination of these suitable today?
Is there a parseable convention in use for extracting keys from mail/finger/html? Sure - the standard ASCII form that PGP extracts keys in is parseable by PGP. (You have to be careful, when obtaining keys by mail/finger/html, that if you get multiple keys, you do something appropriate, like split them up first.) Unfortunately, Real PGP likes to ask you interactively if you want to add
There's a collection of keyservers that stay in sync with each other, including the ones at pgp.mit.edu. bal's http interface is a popular way to access them, though there are others communications methods as well. Some other people use finger; finger's really just a telnet to port 79 while sending a requested name and holding the connection up to wait for replies, but not everybody uses that either, and many host systems don't serve finger. My work PGP address is available on my company's internal phone-book web, and printed on my business cards, though I have now put it on MIT's server. the keys it found to a keyring, or whatever, but you could just feed it some "Y"s on stdin to keep it happy. The new PGP 3.0 stuff will have libraries so it's much easier to build clean routines to do this rather than interact.
My goal is to make encryption the default behavior on outgoing mail. I am not concerned about local security.
Good luck! You'll probably have to prompt the user at least for disambiguation, and possibly for methods for finding keys as well.