1996-08-09 - Re: PGP public key servers are NOT useful!
Header Data
From: “Omegaman” <omega@bigeasy.com>
To: Amnesia Anonymous Remailer <amnesia@chardos.connix.com>
Message Hash: 5c803edc98b285b38770700d15767be70997369d7f2a719326b75e98950a9d5e
Message ID: <199608082044.PAA00861@betty.bigeasy.com>
Reply To: N/A
UTC Datetime: 1996-08-09 03:18:57 UTC
Raw Date: Fri, 9 Aug 1996 11:18:57 +0800
Raw message
From: "Omegaman" <omega@bigeasy.com>
Date: Fri, 9 Aug 1996 11:18:57 +0800
To: Amnesia Anonymous Remailer <amnesia@chardos.connix.com>
Subject: Re: PGP public key servers are NOT useful!
Message-ID: <199608082044.PAA00861@betty.bigeasy.com>
MIME-Version: 1.0
Content-Type: text/plain
> What I want to prevent is some person I dislike uploading his
> signature on my key
Yes, that's unpreventable. It still does not change the fact that it
is up to the person using your public key to determine if you are
indeed that actual owner of that key.
> How would you like it if I added a new ID to your key containing sort
> of insult, certified that ID, and uploaded the new signature to the
> key servers.
RTFM. Look, go into PGP and try to change your key ID. You will
note that PGP asks you to provide the passphrase to your secret key
before allowing an id change. Someone could not get your public key
off of a keyserver and change the id of the key. The need both your
secret key and your passphrase to do that.
Now someone could create a key-pair themselves and falsely assign
your e-mail address and some miscellaneous crap as the ID. They
could then upload the"rogue" public key portion of this keypair to
the servers.
However, the falsity of this "rogue" public key can be easily
determined by you and anyone who is trying to communicate securely
with you. All of this is explained with great clarity in the PGP
documentation.
Think about this...
Suppose I knew who you were and knew your e-mail address. What's to
stop me from creating a "rogue" key-pair with your address as the
e-mail id and uploading it to the keyservers? Just because you don't
utilize the keyservers, doesn't mean your public key can't be placed
there. "Controlling" the distribution of your public key is giving
you a false sense of security where none is really needed.
Ponder: why is a public key called a "public" key?
"Controlling" the distribution of you public key is a pointless
exercise. Controlling authentication is what you and those who
communicate securely with you whould be concerned about.
me
--------------------------------------------------------------
Omegaman <omega@bigeasy.com>
PGP Key fingerprint = 6D 31 C3 00 77 8C D1 C2
59 0A 01 E3 AF 81 94 63
Send a message with the text "get key" in the
"Subject:" field to get a copy of my public key.
--------------------------------------------------------------
Thread
Return to August 1996
Return to ““Omegaman” <omega@bigeasy.com>”
1996-08-09 (Fri, 9 Aug 1996 11:18:57 +0800) - Re: PGP public key servers are NOT useful! - “Omegaman” <omega@bigeasy.com>