Thanks for the bug report. We appreciate your help in fine-tuning the language in the verification emails of the beta test of the PGP Global Directory. We noticed this one, ourselves, and put out an improvement to it on Tuesday. Please check it over and see what you think of the improved version. If you would like to send bug reports to us directly, please feel free to send them to beta@pgp.com. Cypherpunks and Cryptography are both inefficient ways to get them to us, as Cryptography waits for Perry to approve the post, and Cypherpunks waits for Bob Hettinga to forward it. However, the Global Directory does not consolidate information from any other keyservers. It is a replacement for the old keyserver, keyserver.pgp.com, and will take over that venerable old server's job once beta test is concluded. We are, however, migrating a number of keys from the old keyserver to that one. Think of the new keyserver as a mix between traditional keyservers, mailing list servers like mailman, and a robot CA. Its intent is to improve upon the older keyservers by giving some modicum of assurance that keys in it belong to someone, as well as allowing someones to recover from forgetting their passphrase. Jon On 16 Dec 2004, at 7:13 AM, R.A. Hettinga wrote:
--- begin forwarded text
Date: Thu, 16 Dec 2004 05:50:22 -0500 From: Adam Back <adam@cypherspace.org> To: Cypherpunks <cypherpunks@minder.net> Cc: Cryptography <cryptography@metzdowd.com> Subject: pgp "global directory" bugged instructions User-Agent: Mutt/1.4.1i Sender: owner-cypherpunks@al-qaeda.net
So PGP are now running a pgp key server which attempts to consilidate the inforamtion from the existing key servers, but screen it by ability to receive email at the address.
So they send you an email with a link in it and you go there and it displays your key userid, keyid, fingerprint and email address.
Then it says:
| Please verify that the email address on this key, adam@hashcash.org, | is your email address, and is properly configured to send and | receive PGP secured email. | | If the information is correct, click 'Accept'. By clicking 'Accept', | your key will be published to the directory, where other PGP users | will be able to retrieve it in order to encrypt messages to you and | verify signed messages from you. | | If this information is incorrect, click 'Cancel'. By clicking | 'Cancel', this key will not be published. You may then submit | another key with the correct information.
So here's the problem: it does not mention anything about checking that this is your fingerprint. If it's not your fingerprint but it is your email address you could end up DoSing yourself, or at least perpetuating a imposter key into the new supposedly email validated keyserver db.
(For example on some key servers there are keys with my name and email that are nothing to do with me -- they are pure forgeries).
Suggest they add something to say in red letters check the fingerprint AND keyid matches your key.
Adam
--- end forwarded text
-- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
-- Jon Callas CTO, CSO PGP Corporation Tel: +1 (650) 319-9016 3460 West Bayshore Fax: +1 (650) 319-9001 Palo Alto, CA 94303 PGP: ed15 5bdf cd41 adfc 00f3 USA 28b6 52bf 5a46 bc98 e63d -- Jon Callas CTO, CSO PGP Corporation Tel: +1 (650) 319-9016 3460 West Bayshore Fax: +1 (650) 319-9001 Palo Alto, CA 94303 PGP: ed15 5bdf cd41 adfc 00f3 USA 28b6 52bf 5a46 bc98 e63d ________________________________________________________________ This message could have been secured by PGP Universal. To secure future messages from this sender, please click this link: https://keys.pgp.com/b/b.e?r=cypherpunks%40minder.net&n=NsqztWUvWFO%2Be83dnF4HAw%3D%3D