1996-01-29 - Here’s how you put your key on the keyservers…

Header Data

From: Ted Garrett <teddygee@visi.net>
To: cypherpunks@toad.com
Message Hash: 89fb195aaae081c19984810f7e2d3f7defa3b500448429bda7bc030cada21cbe
Message ID: <2.2.32.19960129123934.006abc88@mail.visi.net>
Reply To: N/A
UTC Datetime: 1996-01-29 19:56:05 UTC
Raw Date: Tue, 30 Jan 1996 03:56:05 +0800

Raw message

From: Ted Garrett <teddygee@visi.net>
Date: Tue, 30 Jan 1996 03:56:05 +0800
To: cypherpunks@toad.com
Subject: Here's how you put your key on the keyservers...
Message-ID: <2.2.32.19960129123934.006abc88@mail.visi.net>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

I got a message in response to a request I made to someone for their public
key.  I wanted to check the signatures that they included with their posts
to cypherpunks, but their key was not on the keyservers.  The key they
included was completely unsigned, and when I use it to validate their
previous posts as well as the message they sent which included the key, the
signatures come back as bad, the contents of the file changed.  Names are
appropriately withheld (I hope).  As I understand the bcc: definition, only
I and the first smtp server this message hits should know who it's to.  I
don't know if anyone else reading this mailing list needs this info, but
just in case... here's my reply to the message.

At 10:03 PM 1/28/96 -0800, you wrote:
>Sorry, I'm a newbie to Internet, and also the Internet usage of PGP.  I just
>participated in a local keysigning meeting, so maybe my key will find its
>way to a server.

Don't worry about being a 'newbie'.  Everyone starts somewhere.  However,
your key will usually not 'find its way' to a server without you
specifically sending it.  The keyserver I usually use is accessed by sending
a mail message which fits the following format.  As far as I know, all the
keyservers use this format to add or update keys in their databases.  You
only have to send it to one keyserver, and it will propagate to all the
others.  I have indented the text so that no handlers decide to interpret it
as a new message.

- - To: pgp-public-keys@pgp.iastate.edu
- - Subject: ADD
- -
- - -----BEGIN PGP PUBLIC KEY BLOCK-----
- - Version: 2.6.2
- -
- - [key deleted to protect the innocent]
- -
- - -----END PGP PUBLIC KEY BLOCK-----

>I'm sorry to have to admit that I don't even know how to do this!  Newbie
>alert!

If you don't admit you don't know something, nobody will usually tell you
how to do it.  Also, you should sign your own key.  That will make it harder
to forge, I think.  The reasons were spelled out in a couple of the web
pages I read, but I've forgotten them.  It has something to do with either a
denial of service attack or a man in the middle attack, or both.  The
command to do this is:

pgp -ks 0xHEXKEYID

Honestly, I've only just begun to use pgp myself.  Also, you should add your
e-mail address to the user-id of your key.  The command to do so is: 

pgp -ke 0xHEXKEYID

You will be asked if you wish to add a user id to the key.  Say yes, and
give it your e-mail address.  What this does is it allows people who are
using pgp-enabled mailers to directly encrypt messages to you without
choosing your key manually.

The reason that I have not encrypted this message to you using the key you
provided is that when I extracted the key and re-checked your message, the
signature was no good.  I've found that (using eudora) I must turn off the
word wrap feature of my mailer to allow for good signed messages out.  Of
course, having said this, I'll probably not get a good signature on this
message.  Let me know if it signs ok.

Now, I have a question.  Which attack(s) is/are a person vulnerable to when
distributing an unsigned public key in the open?  Could this actually be a
complex man-in-the-middle attack?  Am I paranoid?


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMQy/ds1+l8EKBK5FAQER8Af/SE1lTj3zcpm3ildFGO75zjZiJByZQi+3
LAkYgcHyBmtvhCTvyYCP2aMF4RjayrR3OHB85XthIA4sPmU0NDCVZYv7riSPjslp
iBxUk92dO+BkP8nrTFgqCzR4qPqbOSmZxeovZI0PfQvbm99fG6Fc2kjhdKP7Aq+G
cw4r0vvJY8JbqAuXftgZgndL9iGR/+xjfrpl+EWL3xtWzpIRfwMS5KMsR1UOf1ZA
g9mlMEGLXy5KC/BwaupgTTwlSA/NOTv5mAY8+UWt9ydMWXBqNVt/yiGFsjg5UR1M
CaT2D23pLAnWZ8M7yrjMamadkn2iLBqq4nhBNOGYHfZrGcbm/mhmxQ==
=jGo3
-----END PGP SIGNATURE-----






Thread