Re: [Sks-devel] new keyserver online

[Christoph Anton Mitterer]

On Sun, 2010-08-22 at 08:13 -0700, C.J. Adams-Collier KF7BMP wrote:
> > If I'm not missing something substantially (and I don't think so) there
> > is really nothing which you'd gain from this anyway.
> > If I send you some encrypted challenge or vice versa, you have neither a
> > proof that I'm actually "Christoph Anton Mitterer" but only that the
> > owner of that key has access to that email address (which an attacker
> > can have easily too, via MiM-attacks).
> 
> Yes, it would be a weak indication, but it is more indication than
> just that you own the associated email.
Associated with what? With my key? With the keyserver?


> The only thing I intended to suggest with this link is that these are
> the standards by which the state requires me to operate.
As it was already pointed out here, this likely doesn't apply to a
keyserver.
A keyserver is not a certificate authority,... nor a registration
authority.
It's just a service holding any keys. These keys can be valid (in the
sense of "good") or forged (e.g. I could upload a key with "Linus
Torvalds").


> Please accept my sincere apology.  I did not mean to offend.  I have
> never received a refusal to sign a message indicating ownership of a
> private key and it raised a red flag.
Well it's ok,... but you really should understand, that this is
completely pointless, especially when one wants to make a connection
between a key, and the owner/operator of a keyserver.

What people (sometimes) do is: making such challenges, after (or in
addition) to personal meetings, where they've exchanged fingerprints,
and identity documents (like passport).
Then it's used as a (very limited) proof, that someone has controll over
an email-address.


Cheers,
Chris.