Re: [PGP Global Directory] Verify Email Address - what do people think?

[Shane Curcuru <sh...@yahoo.com>]

Anyone with a PGP key on the pgp.com keyserver likely has gotten one or
more of these emails recently.  I'm figuring it's legit, see
http://www.pgp.com/downloads/beta/globaldirectory/faq.html

- Any security types have a decent analysis of what the new pgp.com's
"Directory" really means, vs. using other keyservers?

- Hey: how many of us still see the pgp.com keyserver as a useful thing
for building the Apache web-of-trust, versus other keyservers or simply
managing keys individually?

A couple of things in the FAQ are interesting:
- Only supports v4 keys - no RSA legacy keys (they get deleted before
being posted in the directory)

- Verifies keys every 6 months by requiring a clickthru response to
emails sent to <yo...@domain.blah>; only keys with email addr are
supported.

- *Only* signatures from other keys that are also in the Directory are
supported: other signatures are removed before being exposed in the
Directory.  (This one is mildly annoying)  I wonder how many out of
their claimed 107 signatures on my key will remain after this check.

- Shane
T4k2x9fLEluOb3rs8AqBQSW8EnyyQZrNPMCpn3XdAQGg9AP9FIsA
(Forgot the passphrase for my new .sig)

=====
- Shane

<eof .sig="Gobble Gobble!" />

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

Re: [PGP Global Directory] Verify Email Address - what do people think?

[Ben Laurie <be...@algroup.co.uk>]

Dirk-Willem van Gulik wrote:
> 
> On Tue, 21 Dec 2004, Ben Laurie wrote:
> 
> 
>>The point about this new one is it allows keys that are wrong (i.e. do
>>not belong to the email address) or no longer have private keys
>>available to be expired.
> 
> 
> Though I kind of dislike that; I intentionally keep older email addresses
> on my key as in the period I worked for that employer I signed things as
> in that role - and those keys still are valid in that sense.

This doesn't affect their historical accuracy, of course, just whether 
you can fetch them from keyservers.

> I guess this
> forces us to start to become more careful about role accounts :-)

Role accounts suck.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

Re: [PGP Global Directory] Verify Email Address - what do people think?

[Dirk-Willem van Gulik <di...@webweaving.org>]

On Tue, 21 Dec 2004, Ben Laurie wrote:

> The point about this new one is it allows keys that are wrong (i.e. do
> not belong to the email address) or no longer have private keys
> available to be expired.

Though I kind of dislike that; I intentionally keep older email addresses
on my key as in the period I worked for that employer I signed things as
in that role - and those keys still are valid in that sense. I guess this
forces us to start to become more careful about role accounts :-)

Dw.

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

Re: [PGP Global Directory] Verify Email Address - what do people think?

[Ben Laurie <be...@algroup.co.uk>]

Shane Curcuru wrote:
> Anyone with a PGP key on the pgp.com keyserver likely has gotten one or
> more of these emails recently.  I'm figuring it's legit, see
> http://www.pgp.com/downloads/beta/globaldirectory/faq.html

It is legit.

> - Any security types have a decent analysis of what the new pgp.com's
> "Directory" really means, vs. using other keyservers?

The point about this new one is it allows keys that are wrong (i.e. do 
not belong to the email address) or no longer have private keys 
available to be expired.

> - Hey: how many of us still see the pgp.com keyserver as a useful thing
> for building the Apache web-of-trust, versus other keyservers or simply
> managing keys individually?

They are a convenient way to get keys. I use them all the time.

> A couple of things in the FAQ are interesting:
> - Only supports v4 keys - no RSA legacy keys (they get deleted before
> being posted in the directory)

This is a long-standing whine by PGP types - compatibility issues, 
basically.

> - Verifies keys every 6 months by requiring a clickthru response to
> emails sent to <yo...@domain.blah>; only keys with email addr are
> supported.

See above.

> - *Only* signatures from other keys that are also in the Directory are
> supported: other signatures are removed before being exposed in the
> Directory.  (This one is mildly annoying)  I wonder how many out of
> their claimed 107 signatures on my key will remain after this check.

I'm not sure of the motivation for this one - I'll take it up with the 
guy in charge if you want.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org