Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Global Directory of OpenPGP Keys

Posted by michael on from the how-may-i-direct-your-call dept.

Gemini writes "The PGP company just announced a new type of keyserver for all your OpenPGP keys. This server verifies (via mailback verification, like mailing lists) that the email address on the key actually reaches someone. Dead keys age off the server, and you can even remove keys if you forget the passphrase. In a classy move, they've included support for those parts of the OpenPGP standard that PGP doesn't use, but GnuPG does."

3 of 234 comments (clear)

  1. Re:FPCP by Anonymous Coward · · Score: 4, Informative

    Yup... spammers are already harvesting email addresses from PGP keyservers. I had an address on my key that I never ended up actually using for anything, yet I suddenly started getting spam to it. Ditto for another address that I only used with close friends and family but was also a userid on my key.

    The combination of this and (nigerian) spammers that actually respond to my challenge-response authentication is getting me very pissed off about spammers. :)

  2. Re:FPCP by TheUnFounded · · Score: 5, Informative

    From the FAQ:

    Will I get spam if I use the PGP Global Directory?
    No. Searches of the PGP Global Directory are limited to one (1) response, thus making gathering email addresses from the PGP Global Directory one of the least-effective ways of harvesting email addresses for spammers.

  3. Re:Can a central repository bring security? by Just+Some+Guy · · Score: 4, Informative
    if the central repository is located in USA and the FBI want to do a man-in-the-middle attack?

    Not unless you're amazingly trusting of the repository. Read up on the "web of trust" and how to personally verify the keys you're using to send messages.

    For example, my pubkey has been signed by several friends, and I have signed their pubkeys in kind. If I get a signed email from Charlie (whom I don't know), but his pubkey has been signed by Bob (whom I do know) using his key that I myself signed, then there is a direct path of trust between Charlie and me. If I believe that Bob is an honest guy who wouldn't have signed Charlie's key without personally verifying his identity, then I have cause to that key.

    It's hard to explain the web of trust without making it sound more complicated than it really is. It's somewhat analogous to a friend introducing you to a person you've never met before. If your friend is very gullible, then you won't put much confidence in the ID of the person they're introducing. If your friend is, say, a loan officer who just spent the last month vetting the new person's identity, then you can be reasonably sure that they're giving you accurate information about that person.

    Which brings us back to your question. If you're corresponding with a new contact with no trust pathway to that person, then you have exactly zero reason to believe in their identity simply because they were able to download GnuGP and create a new key. However, if that new person's key was signed by Alice, whose key was signed by Charlie, whose key was signed by Bob, whose key was signed by you, then you have at least some reason to think they're who they say they are.

    There is no real concept of blindly trusting a new person in real life. GnuPG does not magically change this.

    --
    Dewey, what part of this looks like authorities should be involved?