-----BEGIN PGP SIGNED MESSAGE-----
In
At 8:31 AM -0700 6/12/97, Bill Frantz wrote:
IMHO - What you are really signing is the binding between the data associated with the key (usually an email address) and the key. You are saying that the secret key holder is (one of the) person(s) who has access to that account, and not some man in the middle in the middle. If you ask to see Lucky Green's, or Futplex's, or Black Unicorn's picture ID, you will either see a forgery or an ID issued by an organization not interested in birth certificates.
I am fairly often accused of being arrogant, of being a "know it all." I have never claimed to be an expert on PGP, and I certainly am not. I use the MacPGP version which became available in '92, and will eventually star t working with PGP 5.x (which I have, and have installed, but not spent much time with).
I generated a 1024-bit key in '92, right after PGP 2.0 appeared, and participated in a key signing, etc., shortly thereafter. It happened that my ISP at that time had just changed from Portal to Netcom. (Now it's "got.net", a fairly typical local provider of non-shell ISP services.)
I can't understand (hint: someone please explain) why I get so many requests to send the "tcmay@got.net" key, as opposed to the "tcmay@netcom.com" key so widely available. I thought the key signings were about the Person Widely Known as "Tim May" being associated with the key signed, not some temporary e-mail address.
My binding was between the key, and "me." Those who wanted to send messages to "me" could assume that only "I" could read it. The address "tcmay@netcom.com" vs. "tcmay@got.net" is not central. Any concern that "tcmay@got.net" is somehow not the keyholder of that '92 key is a nonissue.
If the keyserver databases focus on such ephemera as the current ISP account, then they are focussing on the wrong things.
Am I missing something central?
Well yes, :) There are different levels of trust and authentication in the web of trust. Many (most?) people using PGP will never physically meet and authenticate keys. Their security model does not require this. Instead what PGP is used for is a verification method that I am talking to the same person at tcmay@got.net in my correspondance even though I do not know who he is physically. So over a period of time of exchanging PGP signed messages I can authentincate that all of these messages are all comming from tcmay@got.net who claims to be Tim May. I know that this is not much but at least I know it's not Dimitri or someone else forging the messages from that account (though I don't know if all this time tcmay@got.net has really been one of Dimitri's accounts and that Tim May is really dead). I also use PGP to sign all my distributed source code & binaries for my programs. I also sign all my posts. My sharware customers can verify that the software if from me and unmodified and can also verify any public post regarding the software. Depending on how concerned on this they may be satisfied that seeing the code signed with the same key that I use for my mailing list and in all my public post as enough authentication that the code is valid (though there is nothing preventing them from taking stronger methods of authentication upto and including flying down to FL and meeting me in person). You also have PGP add-on software that does lookups of keys by e-mail address. This is a convient feature if one is working with large keyrings. You do run into the problem of e-mail addresses changing and having multiple keys with the same address. In my software I make use of a default file where a key can be assinged to an e-mail address regardless of what is in the userid. YMMV with other software, from my own testing I have found that most will either take the first key found with duplicats or complain of "no key found" with address changes. - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM6C/hY9Co1n+aLhhAQGDzgQAr85CR5eIFZCFaM/pTGnt5c14x0HUYJJD Muk7xEyR23cIZP9lrWyq+3IsIfk10sR+rLl2Ip05mwSFOasd1FRyuAIVv6vM6Ovm 3m3nSBfHwP0hQtwwrnCCFlOxScBuWjiSn8Pu/r2yhd6A1+vU8D+JeWe9VuPsDRv7 IRMeLadpvC8= =1Fl1 -----END PGP SIGNATURE-----