From: “Mark W. Eichin” <eichin@paycheck.cygnus.com>
To: ld231782@longs.lance.colostate.edu
Message Hash: 99fbba67f754b2da5cf082092a8db3968429881238c3ab15c637cb14e9a66290
Message ID: <9311140602.AA03621@paycheck.cygnus.com>
Reply To: <9311150432.AA21999@longs.lance.colostate.edu>
UTC Datetime: 1993-11-15 09:30:20 UTC
Raw Date: Mon, 15 Nov 93 01:30:20 PST
From: "Mark W. Eichin" <eichin@paycheck.cygnus.com>
Date: Mon, 15 Nov 93 01:30:20 PST
To: ld231782@longs.lance.colostate.edu
Subject: Key Servers
In-Reply-To: <9311150432.AA21999@longs.lance.colostate.edu>
Message-ID: <9311140602.AA03621@paycheck.cygnus.com>
MIME-Version: 1.0
Content-Type: text/plain
Executive summary: if you care about true people, sign their keys, or
create an authority that you trust to sign them, and the keyservers
will automatically take care of the rest.
This is really a misunderstanding. (When people start using all
uppercase letters, it usually is.) I don't like to see people I work
closely with (Hi Derek!) the object of such wrath...
>> false. There could be a network of `true identity' key servers just as
>> easily as there is a network of PSEUDOSPOOFED LIES.
Take it easy for a bit here... the key servers (by which I mean the
PGP keyservers such as are run on toxicwaste.mit.edu and elsewhere)
*don't provide any authentication*... all they provide is keys. If you
trust a key because you got it from a key server, then you have
perhaps misunderstood the concept of digital signatures -- you should
be able to "validate" the key based on what's in it, not where you got
it from.
That said, if you or someone of similar interests wanted to provide a
"true identity" key service, you'd simply have to create a key for
that service, advertise it, convince people to belive that you really
were doing a "true identity" service (this is the social side, not the
technical side -- you can't convince them in purely electronic means
any more than you can convince them you even *exist* in purely
electronic means... but you can find some way of building *real world*
trust that suffices...) and then start signing the keys of those you
assert are "true people".
And guess what -- Derek's key server, *and all the others*, would
start carrying your signatures and keys. They wouldn't filter them out
- it wouldn't be worth the trouble :-) and it would be against their
mission which is to provide *keys* not *judgements*...
>> so, Mr. Keyserver, considering that this (your?) software could be used
>> TODAY to help build up a true identity system, why do you oppose using
Please, sir, do not defame the people who are making your desires
possible. Derek has *not* opposed letting *you* sign and publish lists
of true-person keys. He's just brought up the practical point that he
doesn't have time to do it (nor, perhaps, interest) as well as the
technical point that keyservice has *nothing to do* with validity of
keys. He's being generous and done everything you need for
infrastructure -- all you have to do is identify real people and sign
for them (or convince someone *you trust* to do so.)
I hope this clears things up a bit. Noone is preventing this from
happenning. (If I thought I could make money at it, enough to
compensate for the hassle, I'd consider doing it myself... but it
probably wouldn't be competitive with the RSA PCA's, as it usually
takes a *lot* of money to convince me something is worth the
hassle :-)
_Mark_ <eichin@paycheck.cygnus.com>
... or at least I might be...
Return to November 1993
Return to “Timothy Newsham <newsham@wiliki.eng.hawaii.edu>”