sks-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] new keyserver online


From: C.J. Adams-Collier KF7BMP
Subject: Re: [Sks-devel] new keyserver online
Date: Sun, 22 Aug 2010 07:54:26 -0700

On Sun, 2010-08-22 at 14:04 +0200, Arnold wrote:
On 08/22/2010 03:54 AM, C.J. Adams-Collier KF7BMP wrote:
> On Sat, 2010-08-21 at 22:37 +0200, Christoph Anton Mitterer wrote:
>> On Mon, 2010-08-09 at 12:54 -0400, C.J. Adams-Collier wrote:
>>> Cool.  Could you sign something for me so's I have a relatively strong
>>> indication that you own the pub key I will associate with the server?
>>...
>> What I did,... and what should be even a better prove that the key
>> belongs to the owner of the server is:
>>
>> I've added a file at:
>> http://scientia.net/adams-collier.keyinfo
>> which contains the fingerprint + my name.
>> ...
> No.  And I advise all others to avoid peering with you until you can
> prove that you own the private key that will be associated with the
> keyserver.

Why?

Because none of the information provided indicates in any way that the private key corresponding with the public key provided is under Chris' control. 

Keys and certificates identify persons, not ownership of a server. Whether
or not you trust the signers of the key or certificate is up to you.

For the server, all he can do is prove he has sufficient access rights
(which he offered and is also inherent to modifying the membership file). Or
you can contact the domain owner offline (using WHOIS information).

But then, why won't you peer with an anonymously operated server? In some
countries that might be necessary. After all, each public key a key server
provides, should initially be regarded as 'untrusted'.

http://apps.leg.wa.gov/rcw/default.aspx?cite="">


(1) The secretary must recognize one or more repositories, after finding that a repository to be recognized:
... (d) Contains no significant amount of information that is known or likely to be untrue, inaccurate, or not reasonably reliable;

I interpret this to mean that I need to perform some amount of identity verification of the operator of each keyserver with which I peer.
The only thing I'm interested in is if the server is operated by a
sufficiently skilled administrator. Something certificates won't tell.


> http://apps.leg.wa.gov/rcw/default.aspx?cite="">

This is a national law / ruling applicable to just one country. It is
useless in the rest of the world (ref. art. 3a, for example) and not
applicable to PGP-keys, as they are not depending on a certification
authority to be valid for the user.

All of this is correct.  However, the advice is generally applicable to signing- and trust-related activities.

Arnold

Cheers,

C.J.

Attachment: signature.asc
Description: This is a digitally signed message part


reply via email to

[Prev in Thread] Current Thread [Next in Thread]