Executive summary: if you care about true people, sign their keys, or create an authority that you trust to sign them, and the keyservers will automatically take care of the rest. This is really a misunderstanding. (When people start using all uppercase letters, it usually is.) I don't like to see people I work closely with (Hi Derek!) the object of such wrath...
false. There could be a network of `true identity' key servers just as easily as there is a network of PSEUDOSPOOFED LIES.
Take it easy for a bit here... the key servers (by which I mean the PGP keyservers such as are run on toxicwaste.mit.edu and elsewhere) *don't provide any authentication*... all they provide is keys. If you trust a key because you got it from a key server, then you have perhaps misunderstood the concept of digital signatures -- you should be able to "validate" the key based on what's in it, not where you got it from. That said, if you or someone of similar interests wanted to provide a "true identity" key service, you'd simply have to create a key for that service, advertise it, convince people to belive that you really were doing a "true identity" service (this is the social side, not the technical side -- you can't convince them in purely electronic means any more than you can convince them you even *exist* in purely electronic means... but you can find some way of building *real world* trust that suffices...) and then start signing the keys of those you assert are "true people". And guess what -- Derek's key server, *and all the others*, would start carrying your signatures and keys. They wouldn't filter them out - it wouldn't be worth the trouble :-) and it would be against their mission which is to provide *keys* not *judgements*...
so, Mr. Keyserver, considering that this (your?) software could be used TODAY to help build up a true identity system, why do you oppose using
Please, sir, do not defame the people who are making your desires possible. Derek has *not* opposed letting *you* sign and publish lists of true-person keys. He's just brought up the practical point that he doesn't have time to do it (nor, perhaps, interest) as well as the technical point that keyservice has *nothing to do* with validity of keys. He's being generous and done everything you need for infrastructure -- all you have to do is identify real people and sign for them (or convince someone *you trust* to do so.) I hope this clears things up a bit. Noone is preventing this from happenning. (If I thought I could make money at it, enough to compensate for the hassle, I'd consider doing it myself... but it probably wouldn't be competitive with the RSA PCA's, as it usually takes a *lot* of money to convince me something is worth the hassle :-) _Mark_ <eichin@paycheck.cygnus.com> ... or at least I might be...