[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pgp-keyserver-folk
Subject:    Re: fake keys ?
From:       Wojtek Sylwestrzak <W.Sylwestrzak () icm ! edu ! pl>
Date:       1999-01-28 13:44:09
[Download RAW message or body]

Marcel Waldvogel wrote:
> 
> >
> > this would call for maintaining two separate databases.
> > but I'm not sure if the client software that users use
> > would support it ? I just don't know what people use
> > apart from plain pgp and direct keyserver searches ?
> 
> No, the keyserver would just set an internal flag whether the key was
> to be considered trusted or not; just the entries returned would differ
> somewhat from what is currently being returned.

yes, this makes more sense.

> Maybe we could introduce a pseudo key, which would "sign" these
> untrusted keys with a warning message (and this pseudo key would always
> be sent along when an untrusted key would be sent out).

i wonder whether this would help ?
generally pgp warns when it uses not certified key.

> 
> But I think it would be much better to also adapt the front-end (i.e., PGP)
> to give better hints on unsigned keys.

isn't it there already?
i think that's what's missing seems to be keyservers warning about
unsigned keys. especially that keyservers are probably potentially
the primary source of forged, broken or invalid keys :-(

> 
> BTW: If anyone submits a key via mail to pgpkeys.ch.pgp.net, an
> instructional message is returned that he should get his key signed
> by at least another person (though I don't know whether it helps).

would be interesting to compare the ratio of signed vs unsigned keys
entered to various keyservers...
or just grep logfiles for the number of new signatures originating
at your site ... 
seems to tedious, doesn't it ?

--w

[prev in list] [next in list] [prev in thread] [next in thread]