New PGP keyserver and e-mail address verification - PGP

This is a discussion on New PGP keyserver and e-mail address verification - PGP ; I'm surprised no one has posted anything about the new e-mail verification feature on the PGP Corporation keyserver. In short, during mid-December most of the keys on the original PGP.com keyserver were copied over to keyserver-beta.pgp.com, and a verification e-mail ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: New PGP keyserver and e-mail address verification

  1. New PGP keyserver and e-mail address verification

    I'm surprised no one has posted anything about the new e-mail
    verification feature on the PGP Corporation keyserver.

    In short, during mid-December most of the keys on the original PGP.com
    keyserver were copied over to keyserver-beta.pgp.com, and a verification
    e-mail was sent out for any e-mail address associated with a key. The
    text of these messages would look something like this:

    PGP Global Directory

    VERIFY YOUR EMAIL ADDRESS

    You submitted a key to the PGP public keyserver. The
    PGP public keyserver is now being transitioned to the new PGP Global
    Directory, and your key is one of those that will be automatically
    transferred from the old keyserver.

    One of the features of the new PGP Global Directory is that all email
    addresses on the keys in the directory are verified.

    The email address:
    usenet@gp.users.panix.com
    is attached to this key.

    Please confirm this is your PGP public key and email address by
    following the link below:

    https://keyserver-beta.pgp.com/vkd/v...ndomhashstring

    Thank you.

    No further messages regarding the PGP Global Directory will be sent to
    this email address unless you choose to participate by providing a
    verification response to this email.

    Naturally, "randomhashstring" would be replaced with a unique
    identifier. If you followed the link, you'd be presented with
    a page where selecting a verification button would complete the
    process: that e-mail address on your key would be signed using
    key ID 0xCA57AD7C. (You can grab your own copy of this key from
    https://keyserver-beta.pgp.com/vkd/D...ey.event?rep=4)

    This sounds like a good idea -- providing a (theoretically) trusted
    source that could sign keys. This would at least allow you to trust
    that the e-mail address exists, even if you can't trust that it actually
    belongs to the person whose real name exists in the respective key.

    There's just one problem: the signature is only valid for two weeks.

    On my current key (0x3621AAFE), there are now two signatures: (1) the
    first one that was created on 11-Dec-2004, and is now expired; and
    (2) the one I created today (01-Jan-2005), which will expire on the
    15th of the month.

    While https://keyserver-beta.pgp.com/ doesn't appear to export expired
    signatures, PGP will import them, as will GnuPG. This could lead to
    some remarkably large and unwieldy public key certificates over time.

    Have many other people tried the new keyserver? Has PGP announced their
    design and intentions with this new signature scheme? The cynic in me
    is starting to think the unrealistically short signature expiration
    times might be a marketing ploy, in which case we'll probably see ads
    soon for one-year signatures or whatnot, as PGP moves more toward the
    CA business.

    --
    Gregory Pratt usenet@gp.users.panix.com (forwarded to /dev/null)
    "The only good spammer is a dead spammer."
    awk '{split($0,a,"@");split(a[2],b,".");print b[1] "@" b[3] "." b[4]}'
    PGP Key Fingerprint: DC60 FCDE 91E2 3D41 91A3 45DB B474 3D3A 3621 AAFE

  2. Re: New PGP keyserver and e-mail address verification

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    usenet@gp.users.panix.com (Greg Pratt) writes:

    >I'm surprised no one has posted anything about the new e-mail
    >verification feature on the PGP Corporation keyserver.


    It has been discussed at length on alt.security.pgp

    >This sounds like a good idea -- providing a (theoretically) trusted
    >source that could sign keys. This would at least allow you to trust
    >that the e-mail address exists, even if you can't trust that it actually
    >belongs to the person whose real name exists in the respective key.


    >There's just one problem: the signature is only valid for two weeks.


    It appears to be signed "on the fly" when you fetch the key.

    >On my current key (0x3621AAFE), there are now two signatures: (1) the
    >first one that was created on 11-Dec-2004, and is now expired; and
    >(2) the one I created today (01-Jan-2005), which will expire on the
    >15th of the month.


    I am not importing my own key from that keyserver. Best to not
    retain those 2-week signatures.

    I'm surprised that's your only concern. Check the last two or three
    weeks of alt.security.pgp to see other concerns. The most serious is
    that the email you receive is a bit too similar to a phish.

    >Have many other people tried the new keyserver? Has PGP announced their
    >design and intentions with this new signature scheme? The cynic in me
    >is starting to think the unrealistically short signature expiration
    >times might be a marketing ploy, in which case we'll probably see ads
    >soon for one-year signatures or whatnot, as PGP moves more toward the
    >CA business.


    I have previously posted that I suspect this to be a marketing move.
    But I am not quite as cynical as you. I doubt that there is any plan
    for a purchased long-term signature. Having a short-term signature
    actually makes some sense for a keyserver where you can request that
    your key be removed.

    My advice -- stick with the traditional keyservers. Treat the new GD
    server as mainly for newbies -- the people who screw up, or forget
    passphrases, or delete their keys, or reinstall without first backing
    up their keys. For such newbies, the short signature life is a good
    thing. For experience PGP users, the "security" provided by this
    simple email checking is inadequate, and the GD signing key should
    not be trusted.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.3.91 (SunOS)

    iD8DBQFB1uz/vmGe70vHPUMRAo0tAJ95ISE7/2bdbosBTRxv7gYKDbw+pQCg9I7l
    9VEHhUuPqIsybtfIbaW679M=
    =bONn
    -----END PGP SIGNATURE-----


  3. Re: New PGP keyserver and e-mail address verification

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    usenet@gp.users.panix.com (Greg Pratt) wrote in
    news:cr6our$cg3$1@panix1.panix.com:


    > Have many other people tried the new keyserver? Has PGP announced
    > their design and intentions with this new signature scheme? The
    > cynic in me is starting to think the unrealistically short
    > signature expiration times might be a marketing ploy, in which case
    > we'll probably see ads soon for one-year signatures or whatnot, as
    > PGP moves more toward the CA business.


    Of course, the beta Global Directory keyserver has received much
    discussion in various PGP forums.

    The two week valid key signature is from when you download the key
    from the keyserver. My guess is that this is reflecting the fact
    that you should not automatically consider a key valid just because
    you have downloaded it from this server; and also takes into account
    that two weeks should be plenty of time for you to determine that the
    key is valid (or not) and for you to therefore sign it (or not).

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: My PGP Page & FAQ: http://www.mccune.cc/PGP.htm

    iQEVAwUBQdcaZmDeI9apM77TAQLWqQf/b9KAO+9YQ+3IoCe6rHRgUpz1xt+E3S/m
    y6w9/buSllQFSNL+EzTuIWph4n5I5w6mqtqcINz9gg36fd9Fy3P29AM eqM7VJgJb
    w60JYuXCi10FdazN9j8ozN/z6ydsxCAc8tKCWj0SrQaRHpoaySpOBqwAA16E2hCq
    /9GnSfMVl7bwwzj9PyJV4YnAoapymAjzoxQLyYQumRdEgdgTSL4 yrSAtlLm+BluE
    uO7t/K6fE5fORQQ0sX9tDqwXVRnxi5HCrtJh1khNYmKRhQbGWFiu7bU HK7LT8PT5
    jdsgmyijSijvDk6EacM2DP9CDxxIocGOF+56kpNJkt2XkqxvGa +hWw==
    =kGs2
    -----END PGP SIGNATURE-----

+ Reply to Thread