Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Global Directory of OpenPGP Keys

Posted by michael on from the how-may-i-direct-your-call dept.

Gemini writes "The PGP company just announced a new type of keyserver for all your OpenPGP keys. This server verifies (via mailback verification, like mailing lists) that the email address on the key actually reaches someone. Dead keys age off the server, and you can even remove keys if you forget the passphrase. In a classy move, they've included support for those parts of the OpenPGP standard that PGP doesn't use, but GnuPG does."

6 of 234 comments (clear)

  1. Re:FPCP by Anonymous Coward · · Score: 4, Informative

    Yup... spammers are already harvesting email addresses from PGP keyservers. I had an address on my key that I never ended up actually using for anything, yet I suddenly started getting spam to it. Ditto for another address that I only used with close friends and family but was also a userid on my key.

    The combination of this and (nigerian) spammers that actually respond to my challenge-response authentication is getting me very pissed off about spammers. :)

  2. Re:FPCP by TheUnFounded · · Score: 5, Informative

    From the FAQ:

    Will I get spam if I use the PGP Global Directory?
    No. Searches of the PGP Global Directory are limited to one (1) response, thus making gathering email addresses from the PGP Global Directory one of the least-effective ways of harvesting email addresses for spammers.

  3. Re:Can a central repository bring security? by Just+Some+Guy · · Score: 4, Informative
    if the central repository is located in USA and the FBI want to do a man-in-the-middle attack?

    Not unless you're amazingly trusting of the repository. Read up on the "web of trust" and how to personally verify the keys you're using to send messages.

    For example, my pubkey has been signed by several friends, and I have signed their pubkeys in kind. If I get a signed email from Charlie (whom I don't know), but his pubkey has been signed by Bob (whom I do know) using his key that I myself signed, then there is a direct path of trust between Charlie and me. If I believe that Bob is an honest guy who wouldn't have signed Charlie's key without personally verifying his identity, then I have cause to that key.

    It's hard to explain the web of trust without making it sound more complicated than it really is. It's somewhat analogous to a friend introducing you to a person you've never met before. If your friend is very gullible, then you won't put much confidence in the ID of the person they're introducing. If your friend is, say, a loan officer who just spent the last month vetting the new person's identity, then you can be reasonably sure that they're giving you accurate information about that person.

    Which brings us back to your question. If you're corresponding with a new contact with no trust pathway to that person, then you have exactly zero reason to believe in their identity simply because they were able to download GnuGP and create a new key. However, if that new person's key was signed by Alice, whose key was signed by Charlie, whose key was signed by Bob, whose key was signed by you, then you have at least some reason to think they're who they say they are.

    There is no real concept of blindly trusting a new person in real life. GnuPG does not magically change this.

    --
    Dewey, what part of this looks like authorities should be involved?
  4. OpenPGP set to become global standard by Mstrgeek · · Score: 3, Informative
    well done wrtie up on this topic

    http://www.itweek.co.uk/news/1118258

    --
    Chris Williams clw7500nc@gmail.com
  5. Re:Can a central repository bring security? by Artifakt · · Score: 3, Informative

    Your explanation for the web of trust is cogent, well grounded in reality and still manages to capture the essentials of the process. Nicely done , Sir! One nitpick, however:

    In Alice and Bob explanations, the C party is usually Carol.

    Here's a wiki entry that discusses real life as it applies to cryptography. Its arguements parellel and support some of yours nicely, while also explaining Carol, Dave, and the others.

    http://en.wikipedia.org/wiki/Alice_and_Bob/

    --
    Who is John Cabal?
  6. Re:..future for PGP? YES! Here's moreResources!?!? by QuietRiot · · Score: 3, Informative

    DROP TEXT :: Email People

    (Sent this a few days ago to my ISP and family members - thought it might be useful to some /.ers or otherwise... Forward At Will )

    =Cy

    :: E M A I L ::

    Do consider Thunderbird

    http://www.mozilla.com/products/thunderbird/
    http://www.mozilla.com/products/thunderbird/why/

    for both yourself and your clients. It's really a wonderful product
    and has spam handling built right in. Unlike Outlook(TM) it is open
    about where it keeps your email (not hidden and difficult to export)
    and is not so susceptible to worms and email nastiness such as scripts
    that run without hindrance. Many a spyware app has been installed
    further contributing to the spam problem due to people running just
    that piece of software. Don't help the spammers. Reclaim your inbox.

    It supports Enigmail: ( email envelopes you don't have to lick! )

    http://enigmail.mozdev.org/
    http://www.moztips.com/index.php?id=87
    http://dudu.dyn.2-h.org/nist/gpg-enigmail-howto.ph p

    I've attached my public key [ 0xYOUR_FINGERPRINT ]. I prefer to receive
    secure mail. I've got nothing to hide, but I don't like using
    postcards for all my USPS correspondence either. Regular email is
    like using postcards on the internet. Any postal worker along the way
    can take a look ( have a look at email "headers" sometime; every hop
    you see is a place where your email is stored on a hard drive. )
    Please use an envelope when communicating with me. Won't even cost
    you a stamp. I value your privacy as much as I hope you value mine.

    Privacy tool for Windows: (supports Eudora, Outlook, Clipboard)
    http://winpt.sf.net

    There's no need to keep my public key a secret. Feel free to give
    it away or put it on a telephone pole; write it in the sky if you'd
    like. It's available on the web. The more people that have it the
    better. Use it to seal your envelopes when sending me mail. I've got
    the only other matching key (my private key, opposite the public key
    I've given to you) that allows me to unlock the envelope. You can
    even lock an envelope so that multiple people can unlock it on their
    own, but nobody else can read what you've sent them.

    You can also find keys for me here:

    http://www.biglumber.com

    Please try it out. Be glad to help you get started.

    :: W E B ::
    If you haven't heard of the Firefox web browser yet

    http://www.mozilla.org/products/firefox/

    download it and check it out. Then look into the Extensions under
    tools. Fast, far more secure than IE and extremely standards
    compliant. Lots of tricks up it's sleeve in the way of Extensions,
    themes, etc. Introducing this to your clients might be worthwhile as
    well. The less spam and junk they've got clogging up their machines,
    the less you'll pay for bandwidth, etc. Worth a look.

    Thunderbird will import from Outlook. They just had a major release.
    Even though this is version 1.0 it's not like a "typical" 1.0 release.
    In the opensource world projects often start out with very low version
    numbers. It's not uncommon to see something like v0.3.22 for very
    usable and extremely bug free pieces of software.

    Anyway it's really nice - though it doesn't have the calendar and palm
    integration. That you'll need to weigh. Mom however doesn't need to
    be on outlook....

    =====[ http://www.mozilla.org/products/thunderbird/releas es/ ] =======

    Comprehensive Mail Migration from other Mail Clients

    Switching to Thunderbird has never been easier since Thunderbird can
    now migrate all of your email data including settings, mail folders