On Sun, Oct 23, 2005 at 05:16:43PM +0100, Bob Henson wrote: > > Some people do not like this server as it does email address > > verification (via sending a mail to the email address on the key, if > > any), and then signs the key. These signatures are reissued every 2 > > weeks or so if people keep requesting the key. The list of signatures > > can get long. Both PGP and GPG have features to delete the expired > > ones.
> That's not the only reason though. The PGP Global Keyserver is dangerous, as > well as a nuisance, for a number of reasons. As it only shows one key on a > search for a users name, it might cause people to miss a revoked key and > continue using it. This is a misunderstanding about the Global Directory. It does not, is not designed to, and should not give more than one key for a given email address. The GD says "This is the key. Period. There is no other key. Take this key and use it. Have A Nice Day.". The goal of the GD is specifically NOT to say, "This is the key. Here are a few more keys. Well, here's another one that the person may or may not have lost the passphrase for. Oops, found another one. And this one too. Now figure out which one, if any, you should use!" It always amuses me that people complain bitterly about the GD storing one key per email address, but don't complain, for example, about people putting their key up on a web page. After all, they may contain only one key, and might cause people to miss a revoked key. ;) > The "verification" is dangerous in itself, since people may rely on > the server signature for trust - which is not a good idea for > obvious reasons - anyone could upload a key from a particular > address, and e-mail verification *alone* is of little value. Completely untrue. For the huge majority of users, email verification is sufficient. The GD is one-stop shopping for them: they get a single key that points to an email address that has been checked. Sure beats 3-4 keys on the keyserver and having to parse out the web of trust to see which one to use... only to find that more than one was in the web of trust, pick one anyway, and then hope the key owner didn't lose the passphrase or just stopped using encryption. Remember that the people who subscribe to this mailing list and have any knowledge of the web of trust are not in any way the huge majority of users. We're a miniscule blip on top of a near nothingness. You assert that e-mail verification alone is of little value. I disagree. I challenge you to make a key with my email address and get the GD to accept it. Let me know when you succeed. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
