[16563] in cryptography@c2.net mail archive
pgp "global directory" bugged instructions
daemon@ATHENA.MIT.EDU (Adam Back)
Wed Dec 22 11:21:16 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 16 Dec 2004 05:50:22 -0500
From: Adam Back <adam@cypherspace.org>
To: Cypherpunks <cypherpunks@minder.net>
Cc: Cryptography <cryptography@metzdowd.com>
So PGP are now running a pgp key server which attempts to consilidate
the inforamtion from the existing key servers, but screen it by
ability to receive email at the address.
So they send you an email with a link in it and you go there and it
displays your key userid, keyid, fingerprint and email address.
Then it says:
| Please verify that the email address on this key, adam@hashcash.org,
| is your email address, and is properly configured to send and
| receive PGP secured email.
|
| If the information is correct, click 'Accept'. By clicking 'Accept',
| your key will be published to the directory, where other PGP users
| will be able to retrieve it in order to encrypt messages to you and
| verify signed messages from you.
|
| If this information is incorrect, click 'Cancel'. By clicking
| 'Cancel', this key will not be published. You may then submit
| another key with the correct information.
So here's the problem: it does not mention anything about checking
that this is your fingerprint. If it's not your fingerprint but it is
your email address you could end up DoSing yourself, or at least
perpetuating a imposter key into the new supposedly email validated
keyserver db.
(For example on some key servers there are keys with my name and email
that are nothing to do with me -- they are pure forgeries).
Suggest they add something to say in red letters check the fingerprint
AND keyid matches your key.
Adam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
