Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Global Directory of OpenPGP Keys

Posted by michael on from the how-may-i-direct-your-call dept.

Gemini writes "The PGP company just announced a new type of keyserver for all your OpenPGP keys. This server verifies (via mailback verification, like mailing lists) that the email address on the key actually reaches someone. Dead keys age off the server, and you can even remove keys if you forget the passphrase. In a classy move, they've included support for those parts of the OpenPGP standard that PGP doesn't use, but GnuPG does."

4 of 234 comments (clear)

  1. PGP's defaults are the real problem. by nlinecomputers · · Score: 5, Insightful

    Every PGP new user has done it. Created a brand new key while learning the program and forgot the passphrase. There are hundreds of unused keys that was created and never used but can never be deleted because they don't expire.

    Had PGP's defaults been for a 1 year key instead of infinite this wouldn't be an issue.

    I always create 1 year keys but I've got a couple of key out there over 10 years old that I FUBAR'd that'll never go away.

    --
    Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
  2. Re:Is there a future for PGP? by spellicer · · Score: 5, Interesting

    S/MIME and PGP certainly address many similar issues such as email encryption and sender authenticity (which SSL does not necessarily do by the way), they approach some of the problems in different ways. The key difference I see between the two (and why PGP still has a role in this area) is how trust of signing keys is built.

    S/MIME and x.509 certificates use a central authority to enforce certificate holder identity. PGP and its variants use a "web of trust" system which allows ad hoc trust networks to build up by acquaintences sign each others keys. As an analogy, x.509 is client/server while PGP is peer-to-peer. PGP's approach serves a role for those who do not have a central authority (i.e. certificate authority) in common, do not trust CA's, cost of a certificate from a reliable CA is too high, or other factors usually centering around CA's.

    The above is a general idea and there are many variations on it that make the area more fuzzy. For example, S/MIME could potentially be implemented using PGP keys instead of x.509 or PGP could be implemented to require a particular signature (i.e. a CA) in order to use a key.

  3. Re:Backdoors? by JimDabell · · Score: 5, Insightful

    Are there backdoors?

    It doesn't matter. Keyservers are merely a method of distributing keys, not establishing trust. You can establish trust by a number of methods, such as manually verifying the fingerprint with the person yourself using a trusted medium (e.g. face to face) or having somebody you trust sign the key (after verifying their key, of course).

    The real danger to public key cryptography taking off is that it will become commonplace to simply trust keys without verifying them. Everyone will feel more secure, but the security will be an illusion.

  4. Re:FPCP by TheUnFounded · · Score: 5, Informative

    From the FAQ:

    Will I get spam if I use the PGP Global Directory?
    No. Searches of the PGP Global Directory are limited to one (1) response, thus making gathering email addresses from the PGP Global Directory one of the least-effective ways of harvesting email addresses for spammers.