pgp "global directory" bugged instructions

Jon Callas jon at pgp.com
Thu Dec 16 21:28:59 PST 2004 

Thanks for the bug report. We appreciate your help in fine-tuning the 
language in the verification emails of the beta test of the PGP Global 
Directory. We noticed this one, ourselves, and put out an improvement 
to it on Tuesday. Please check it over and see what you think of the 
improved version.

If you would like to send bug reports to us directly, please feel free 
to send them to beta at pgp.com. Cypherpunks and Cryptography are both 
inefficient ways to get them to us, as Cryptography waits for Perry to 
approve the post, and Cypherpunks waits for Bob Hettinga to forward it.

However, the Global Directory does not consolidate information from any 
other keyservers. It is a replacement for the old keyserver, 
keyserver.pgp.com, and will take over that venerable old server's job 
once beta test is concluded. We are, however, migrating a number of 
keys from the old keyserver to that one.

Think of the new keyserver as a mix between traditional keyservers, 
mailing list servers like mailman, and a robot CA. Its intent is to 
improve upon the older keyservers by giving some modicum of assurance 
that keys in it belong to someone, as well as allowing someones to 
recover from forgetting their passphrase.

	Jon

On 16 Dec 2004, at 7:13 AM, R.A. Hettinga wrote:

>
> --- begin forwarded text
>
>
> Date: Thu, 16 Dec 2004 05:50:22 -0500
> From: Adam Back <adam at cypherspace.org>
> To: Cypherpunks <cypherpunks at minder.net>
> Cc: Cryptography <cryptography at metzdowd.com>
> Subject: pgp "global directory" bugged instructions
> User-Agent: Mutt/1.4.1i
> Sender: owner-cypherpunks at al-qaeda.net
>
> So PGP are now running a pgp key server which attempts to consilidate
> the inforamtion from the existing key servers, but screen it by
> ability to receive email at the address.
>
> So they send you an email with a link in it and you go there and it
> displays your key userid, keyid, fingerprint and email address.
>
> Then it says:
>
> | Please verify that the email address on this key, adam at hashcash.org,
> | is your email address, and is properly configured to send and
> | receive PGP secured email.
> |
> | If the information is correct, click 'Accept'. By clicking 'Accept',
> | your key will be published to the directory, where other PGP users
> | will be able to retrieve it in order to encrypt messages to you and
> | verify signed messages from you.
> |
> | If this information is incorrect, click 'Cancel'. By clicking
> | 'Cancel', this key will not be published. You may then submit
> | another key with the correct information.
>
> So here's the problem: it does not mention anything about checking
> that this is your fingerprint.  If it's not your fingerprint but it is
> your email address you could end up DoSing yourself, or at least
> perpetuating a imposter key into the new supposedly email validated
> keyserver db.
>
> (For example on some key servers there are keys with my name and email
> that are nothing to do with me -- they are pure forgeries).
>
> Suggest they add something to say in red letters check the fingerprint
> AND keyid matches your key.
>
> Adam
>
> --- end forwarded text
>
>
> -- 
> -----------------
> R. A. Hettinga <mailto: rah at ibuc.com>
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
>
-- 
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d


-- 
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d


________________________________________________________________
This message could have been secured by PGP Universal. To secure
future messages from this sender, please click this link:

https://keys.pgp.com/b/b.e?r=cypherpunks%40minder.net&n=NsqztWUvWFO%2Be83dnF4HAw%3D%3D

More information about the cypherpunks-legacy mailing list