[GR-Jug] Global PGP Key Registry

Matthew Carpenter matt at eisgr.com
Mon Dec 13 08:23:23 EST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Dave Brondsema wrote:

| What sort of lack of authentication is there, and why is it a problem?
|
| Yes, anyone can create a PGP key for any email address, but you
| shouldn't trust any key's authenticity unless there is a chain of
| signatures from you to them.  Signing keys builds a web of trust;
| this is a critical part of the PGP system because it is not
| hierarchical from some supposed root authority.
|
The point is that I submit my keys to the keyservers and that's
that..  I don't have any management or alerting ability.  There is
nothing that assures that I add any keys associated with my email
addresses or identity nor that I am even notified when others do.
Having some sort of checks and balances increases the value of the system.

|> This is a *free* directory for PGP keys, and looks to provide not just
|> "another" but "the" PGP key repository.
|
|
| All public keyservers are "the" place to look for keys because they
| mirror with each other.  It's distributed redudancy; much better
| than relying on just one keyserver anyway.

Thanks.  That much I was not sure of.

|
|> It is currently in Beta right now and is worth checking out.  If
|> you are a security professional, this an important read.  It is a
|> good idea to sign everything, and/or provide your PGP key information
|> to anyone who may contact you with sensitive content, particularly in
|> the even of a security incident.
|
|
| PGP certainly is important, but why are we talking about it here?

I was at first hesitant to include this list in my note.  But, in a
day when Identity theft, spyware, and eaves-dropping are rampant,
security and the related technologies are very important for
developers to be aware of and consider.  Likely the developers on this
list will be making use of PGP-related security and will benefit from
the knowledge.
Moreover, while I am not an expert on the topic, I know more than
quite a few (which doesn't say much).  The discussion leads to
learning and shared learning is what this and most lists are all
about.  In our conversation, I have already learned something.
Hopefully others will as well.  That's the point.  Thanks for being
concerned with staying on-topic.  I believe we have.

Matt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBvZfJso9lqh4MragRAuELAJ40OWga02MYoT9WZihS8TSpqd2HswCfZBYp
krPc9ldlw1Oeu6WvQN3lffc=
=v39B
-----END PGP SIGNATURE-----

More information about the Jug mailing list