Re: [PGP Global Directory] Verify Email Address - what do people think?
Dirk-Willem van Gulik wrote: On Tue, 21 Dec 2004, Ben Laurie wrote: The point about this new one is it allows keys that are wrong (i.e. do not belong to the email address) or no longer have private keys available to be expired. Though I kind of dislike that; I intentionally keep older email addresses on my key as in the period I worked for that employer I signed things as in that role - and those keys still are valid in that sense. This doesn't affect their historical accuracy, of course, just whether you can fetch them from keyservers. I guess this forces us to start to become more careful about role accounts :-) Role accounts suck. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [PGP Global Directory] Verify Email Address - what do people think?
On Tue, 21 Dec 2004, Ben Laurie wrote: > The point about this new one is it allows keys that are wrong (i.e. do > not belong to the email address) or no longer have private keys > available to be expired. Though I kind of dislike that; I intentionally keep older email addresses on my key as in the period I worked for that employer I signed things as in that role - and those keys still are valid in that sense. I guess this forces us to start to become more careful about role accounts :-) Dw. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [PGP Global Directory] Verify Email Address - what do people think?
Shane Curcuru wrote: Anyone with a PGP key on the pgp.com keyserver likely has gotten one or more of these emails recently. I'm figuring it's legit, see http://www.pgp.com/downloads/beta/globaldirectory/faq.html It is legit. - Any security types have a decent analysis of what the new pgp.com's "Directory" really means, vs. using other keyservers? The point about this new one is it allows keys that are wrong (i.e. do not belong to the email address) or no longer have private keys available to be expired. - Hey: how many of us still see the pgp.com keyserver as a useful thing for building the Apache web-of-trust, versus other keyservers or simply managing keys individually? They are a convenient way to get keys. I use them all the time. A couple of things in the FAQ are interesting: - Only supports v4 keys - no RSA legacy keys (they get deleted before being posted in the directory) This is a long-standing whine by PGP types - compatibility issues, basically. - Verifies keys every 6 months by requiring a clickthru response to emails sent to <[EMAIL PROTECTED]>; only keys with email addr are supported. See above. - *Only* signatures from other keys that are also in the Directory are supported: other signatures are removed before being exposed in the Directory. (This one is mildly annoying) I wonder how many out of their claimed 107 signatures on my key will remain after this check. I'm not sure of the motivation for this one - I'll take it up with the guy in charge if you want. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [PGP Global Directory] Verify Email Address - what do people think?
Anyone with a PGP key on the pgp.com keyserver likely has gotten one or more of these emails recently. I'm figuring it's legit, see http://www.pgp.com/downloads/beta/globaldirectory/faq.html - Any security types have a decent analysis of what the new pgp.com's "Directory" really means, vs. using other keyservers? - Hey: how many of us still see the pgp.com keyserver as a useful thing for building the Apache web-of-trust, versus other keyservers or simply managing keys individually? A couple of things in the FAQ are interesting: - Only supports v4 keys - no RSA legacy keys (they get deleted before being posted in the directory) - Verifies keys every 6 months by requiring a clickthru response to emails sent to <[EMAIL PROTECTED]>; only keys with email addr are supported. - *Only* signatures from other keys that are also in the Directory are supported: other signatures are removed before being exposed in the Directory. (This one is mildly annoying) I wonder how many out of their claimed 107 signatures on my key will remain after this check. - Shane T4k2x9fLEluOb3rs8AqBQSW8EnyyQZrNPMCpn3XdAQGg9AP9FIsA (Forgot the passphrase for my new .sig) = - Shane - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]