Re: [Sks-devel] new keyserver online

[Christoph Anton Mitterer]

On Sun, 2010-08-22 at 14:48 -0700, C.J. Adams-Collier KF7BMP wrote:
> It was published on a CD, signed by Philipp Kern <address@hidden>, a
> Debian Developer whose identity was verified in person by another DD:
And you believe that Philipp has met officials for all the CAs included
in the Mozilla bundle and verified them?

Mozilla itself just takes them from WebTrust, IIRC,... and we've already
seen recently how securely Mozilla handles this (when they've had a CA
included, from which they didn't even know to whom it belongs).


Nevertheless.... I still don't understand what you actually want.

If it's just the verification of my name on the key,... then challenge
response doesn't help at all,... then you could rather take one of the
signatures on my key (e.g. from some DDs, or rather well known "CA"s
like DFN, CAcert or heise's crypto campaign).
Or via the IGTF hierarchy...
I could even sign the key with a StartSSL X.509 cert, which is in your
Mozilla...

But I thought it's about getting a key that belongs to the owner of the
keyserver (mine). Then all the above wouldn't help you at all.

The best thing I could do is, putting they credentials directly on the
server (on a website or so), thereby making the "official" connection.
Or provide them via https and a server certificate e.g. from CAcert.

But again,.. they only check the ownership of a server via whois and
email,... which is in turn not very secure.


Cheers,
Chris.