Keyservers and Spam

Bill Frantz frantz at pwpconsult.com
Thu Jun 12 18:43:22 EDT 2003 

At 8:58 AM -0700 6/12/03, David Honig wrote:
>At 05:47 PM 6/11/03 -0700, Bill Frantz wrote:
>>To try to reflect some of David's points with a real-world situation.  I
>>was at work, with a brand new installation of PGP.  I wanted to send some
>>confidential data home so I could work with it.  However I didn't have my
>>home key at work, so I didn't have a secure way to send either the data, or
>>the work key.  I didn't even have the fingerprint of the home key.
>>
>>My solution was to pull Carl Ellison's business card out of my pocket.  It
>>had his key fingerprint on it, and I remember getting it directly from him,
>>so I could trust the fingerprint.  Now Carl had signed my key, so when I
>>downloaded it from the key server, I could verify that it was indeed mine
>>(to the extent I trusted Carl).  Carl's signature, and the key server
>>allowed me to bootstrap trust into my own key.
>>
>>
>>But with a key server, I didn't have to bother Carl to send me my key.  Or
>>depend on him being online when I needed it.
>
>True, although:
>1. you could have had your own key-fingerprint on your own bizcard
>and done the same.

I didn't.  I do now.


>2. you needn't have had your valid email address there (going back
>to the spam-thread), perhaps just your regular name.  In fact you
>could have your key on your home server, not in a public
>server which serves as spambait.

I don't think key servers are a significant cause of email address leakage
compared with posting to open mailing lists, so I am not compelled by the
original reason for this thread.

>3. I think you also trusted that Carl has not been compromised
>and re-signed a bogus key *after* he first signed it.  (Not picking
>on Carl here :-)

Yup.


And I could have followed Jill's suggestion of using symmetric encryption
had I thought of it.  Get a pass phrase from /dev/random and write it down.
Put the piece of paper in my wallet and take it home.  Decrypt the data and
burn the paper.  That's enough protection for low level commercial secrets.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz           | Due process for all    | Periwinkle -- Consulting
(408)356-8506         | used to be the         | 16345 Englewood Ave.
frantz at pwpconsult.com | American way.          | Los Gatos, CA 95032, USA



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list