1996-08-09 - Re: PGP public key servers are NOT useful!

Header Data

From: “Omegaman” <omega@bigeasy.com>
To: Amnesia Anonymous Remailer <amnesia@chardos.connix.com>
Message Hash: 5c803edc98b285b38770700d15767be70997369d7f2a719326b75e98950a9d5e
Message ID: <199608082044.PAA00861@betty.bigeasy.com>
Reply To: N/A
UTC Datetime: 1996-08-09 03:18:57 UTC
Raw Date: Fri, 9 Aug 1996 11:18:57 +0800

Raw message

From: "Omegaman" <omega@bigeasy.com>
Date: Fri, 9 Aug 1996 11:18:57 +0800
To: Amnesia Anonymous Remailer <amnesia@chardos.connix.com>
Subject: Re: PGP public key servers are NOT useful!
Message-ID: <199608082044.PAA00861@betty.bigeasy.com>
MIME-Version: 1.0
Content-Type: text/plain



> What I want to prevent is some person I dislike uploading his
> signature on my key

Yes, that's unpreventable.  It still does not change the fact that it 
is up to the person using your public key to determine if you are 
indeed that actual owner of that key.
 
> How would you like it if I added a new ID to your key containing sort
> of insult, certified that ID, and uploaded the new signature to the
> key servers.

RTFM.  Look, go into PGP and try to change your key ID.  You will 
note that PGP asks you to provide the passphrase to your secret key 
before allowing an id change.  Someone could not get your public key 
off of a keyserver and change the id of the key.  The need both your 
secret key and your passphrase to do that.

Now someone could create a key-pair themselves and  falsely assign 
your e-mail address and some miscellaneous crap as the ID.  They 
could then upload the"rogue" public key portion of this keypair to 
the servers.

However, the falsity of this "rogue" public key can be easily 
determined by you and anyone who is trying to communicate securely 
with you.  All of this is explained with great clarity in the PGP 
documentation.

Think about this...
Suppose I knew who you were and knew your e-mail address.  What's to 
stop me from creating a "rogue" key-pair with your address as the 
e-mail id and uploading it to the keyservers?  Just because you don't 
utilize the keyservers, doesn't mean your public key can't be placed 
there.  "Controlling" the distribution of your public key is giving 
you a false sense of security where none is really needed.

Ponder: why is a public key called a "public" key?

"Controlling" the distribution of you public key is a pointless 
exercise.  Controlling authentication is what you and those who 
communicate securely with you whould be concerned about.

me
--------------------------------------------------------------
 Omegaman <omega@bigeasy.com>
 PGP Key fingerprint =  6D 31 C3 00 77 8C D1 C2  
                        59 0A 01 E3 AF 81 94 63 
Send a message with the text "get key" in the 
"Subject:" field to get a copy of my public key.
--------------------------------------------------------------





Thread