New Global Directory of OpenPGP Keys
Gemini writes "The PGP company just announced a new type of keyserver for all your OpenPGP keys. This server verifies (via mailback verification, like mailing lists) that the email address on the key actually reaches someone. Dead keys age off the server, and you can even remove keys if you forget the passphrase. In a classy move, they've included support for those parts of the OpenPGP standard that PGP doesn't use, but GnuPG does."
Sounds like a good way to make a global whitelist! ;/
Allow incomming mail only from such valid e-mail accounts that are using the service. Could be useful for spam. Or will spam endure as it always has done...
Every PGP new user has done it. Created a brand new key while learning the program and forgot the passphrase. There are hundreds of unused keys that was created and never used but can never be deleted because they don't expire.
Had PGP's defaults been for a 1 year key instead of infinite this wouldn't be an issue.
I always create 1 year keys but I've got a couple of key out there over 10 years old that I FUBAR'd that'll never go away.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
Yes... until some government makes encryption illegal because it evades wiretaps (they're trying, believe me...).
503 Sig Unavailable
The Signature could not be accessed. Please try again later or contact the administrator
Doesn't matter. This is a directory for public (ie, the non-private portion of) OpenPGP keys, which are/should-be publically available anyway. Else, why use public/private pgp keys at all?
It doesn't matter. Keyservers are merely a method of distributing keys, not establishing trust. You can establish trust by a number of methods, such as manually verifying the fingerprint with the person yourself using a trusted medium (e.g. face to face) or having somebody you trust sign the key (after verifying their key, of course).
The real danger to public key cryptography taking off is that it will become commonplace to simply trust keys without verifying them. Everyone will feel more secure, but the security will be an illusion.
Unfortunately I can't see a good way to make things more transparent and invisible to the end user. Most folks don't pick good passwords, yet that is absolutely essential for PGP private key security. Also, a yearly drive reformat is not uncommon, so lost keys are a huge issue. This technology partially address that issue but I shouldn't need to check to see if someone updated there key every message, plus theres the trust issue with a constantly rotating keyset.
Jeff
A central repository of public keys can bring problems, for example, if the central repository is located in USA and the FBI want to do a man-in-the-middle attack? How can you be assured that the public key from the guy you want to send a encrypted message is realy the correct public key? I don't know better solution than having a lot of servers in different countries, under different governments controls and laws, and when the user do a search, he can do the search in a lot of servers. How about having servers in USA, China, France, Germany, China, Finland, North Corea......, and the user can search the user public key in all these databases? When storing the public keys, why not the user store his keys in these distributed servers? Can you really believe that storing your keys under one company control can bring security?
So if I'm willing to post my public key and verify every 6 months that I'm the same live email responder at the other end, then what assurance do I have that encrypted email sent to me isn't spam?
Another way of looking at it is from the "cost" of spamming - encrypting a spam "costs" the spammer, hence recent suggestions for charging mail-senders in CPU-cycles. Additionally, you'd be able to verify whether you held the spammer's public key on your keyring, and very easily "process" (ie. delete with extreme prejudice) encrypted emails from unknown senders.
This is where the serious fun begins.
Perceived Value is very closely tied to percieved scarcity. As people begin to *realize* that their privacy is as scarce as it actually is, people will begin to value their privacy ergo encryption.
Feeding that will be dirt simple encryption applications that make it so EASY to encrypt and decrypt that you might as well do it. (Like, for example, the application I'm finishing right now but refuse to plug until it's released)
The biggest problem now is that if a developer wants to include Public Key encryption abilities in has app he has to create an entire key management system and force users to gather the keys of all their contacts manually because there's just no other way. How many users are going to do that for a program that they only kinda think they need?
If you want the answer to that question, look at the percentage of users who currently encrypt any large part of their communication (SSL excluded?)