16 Dec
2004
16 Dec
'04
10:20 p.m.
On 2004-12-16T05:50:22-0500, Adam Back wrote:
So PGP are now running a pgp key server which attempts to consolidate the inforamtion from the existing key servers, but screen it by ability to receive email at the address. ... So here's the problem: it does not mention anything about checking that this is your fingerprint.
What about the fact that they're tying key validity to valid email addresses, when the two have nothing to do with each other? A key does not need to have an associated email address, or the latter could be purposely incorrect. If this is their idea of key verification, they're going to exclude perfectly legitimate keys from this new database.