pgp "global directory" bugged instructions
So PGP are now running a pgp key server which attempts to consilidate the inforamtion from the existing key servers, but screen it by ability to receive email at the address. So they send you an email with a link in it and you go there and it displays your key userid, keyid, fingerprint and email address. Then it says: | Please verify that the email address on this key, adam@hashcash.org, | is your email address, and is properly configured to send and | receive PGP secured email. | | If the information is correct, click 'Accept'. By clicking 'Accept', | your key will be published to the directory, where other PGP users | will be able to retrieve it in order to encrypt messages to you and | verify signed messages from you. | | If this information is incorrect, click 'Cancel'. By clicking | 'Cancel', this key will not be published. You may then submit | another key with the correct information. So here's the problem: it does not mention anything about checking that this is your fingerprint. If it's not your fingerprint but it is your email address you could end up DoSing yourself, or at least perpetuating a imposter key into the new supposedly email validated keyserver db. (For example on some key servers there are keys with my name and email that are nothing to do with me -- they are pure forgeries). Suggest they add something to say in red letters check the fingerprint AND keyid matches your key. Adam
On 2004-12-16T05:50:22-0500, Adam Back wrote:
So PGP are now running a pgp key server which attempts to consolidate the inforamtion from the existing key servers, but screen it by ability to receive email at the address. ... So here's the problem: it does not mention anything about checking that this is your fingerprint.
What about the fact that they're tying key validity to valid email addresses, when the two have nothing to do with each other? A key does not need to have an associated email address, or the latter could be purposely incorrect. If this is their idea of key verification, they're going to exclude perfectly legitimate keys from this new database.
participants (2)
-
Adam Back
-
Justin