Slashdot Mirror


New Global Directory of OpenPGP Keys

Gemini writes "The PGP company just announced a new type of keyserver for all your OpenPGP keys. This server verifies (via mailback verification, like mailing lists) that the email address on the key actually reaches someone. Dead keys age off the server, and you can even remove keys if you forget the passphrase. In a classy move, they've included support for those parts of the OpenPGP standard that PGP doesn't use, but GnuPG does."

2 of 234 comments (clear)

  1. PGP's defaults are the real problem. by nlinecomputers · · Score: 5, Insightful

    Every PGP new user has done it. Created a brand new key while learning the program and forgot the passphrase. There are hundreds of unused keys that was created and never used but can never be deleted because they don't expire.

    Had PGP's defaults been for a 1 year key instead of infinite this wouldn't be an issue.

    I always create 1 year keys but I've got a couple of key out there over 10 years old that I FUBAR'd that'll never go away.

    --
    Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
  2. Re:Backdoors? by JimDabell · · Score: 5, Insightful

    Are there backdoors?

    It doesn't matter. Keyservers are merely a method of distributing keys, not establishing trust. You can establish trust by a number of methods, such as manually verifying the fingerprint with the person yourself using a trusted medium (e.g. face to face) or having somebody you trust sign the key (after verifying their key, of course).

    The real danger to public key cryptography taking off is that it will become commonplace to simply trust keys without verifying them. Everyone will feel more secure, but the security will be an illusion.