PGP public key servers are NOT useful!

Amnesia Anonymous Remailer amnesia at chardos.connix.com
Thu Aug 8 00:47:15 PDT 1996


"Perry E. Metzger" <perry at piermont.com> writes:

> John Anonymous MacDonald writes:
> > The problem with the PGP public key servers is that
> > one has absolutely no control over what gets uploaded there in one's
> > own name.
> 
> Thats why people are supposed to use the web of trust to check the
> keys. You claim to make your key available by finger. How do you know
> that Mallet isn't switching the bits as they go down the wire to your
> correspondants? The only way to verify a key is to check known good
> signatures on it. Because of this, no security is needed on key
> storage facilities per se -- you aren't supposed to trust keys without
> signatures.
> 
> Geesh. I thought this was obvious. I guess not.
> 
> Perry

The web of trust just certifies that the key belongs to someone.  If
you'd read to the end of the message, you would have seen that I was
not complaining about the key certification process in PGP.  At issue is
NOT whether a key can be trusted to belong to someone, but whether or
not random people should be able to tag others' PGP keys with crap.

What I want to prevent is some person I dislike uploading his
signature on my key (particularly if he adds another ID to my key and
signs that).

How would you like it if I added a new ID to your key containing sort
of insult, certified that ID, and uploaded the new signature to the
key servers.  Alternatively, what if I uploaded 5 "vanity" keys in
your name to the PGP key servers.  Most software would download one
key, fail to certify the signature, and therefore not allow someone to
communicate with you even if that person could have verified your real
key.

I don't understand what the purpose of a centralized key server is,
when the owner of a public key should be the one to control what
certificates and tags are given out with his/her PGP key.







More information about the cypherpunks-legacy mailing list