Anyone with a PGP key on the pgp.com keyserver likely has gotten one or more of these emails recently. I'm figuring it's legit, see http://www.pgp.com/downloads/beta/globaldirectory/faq.html
It is legit.
- Any security types have a decent analysis of what the new pgp.com's "Directory" really means, vs. using other keyservers?
The point about this new one is it allows keys that are wrong (i.e. do not belong to the email address) or no longer have private keys available to be expired.
- Hey: how many of us still see the pgp.com keyserver as a useful thing for building the Apache web-of-trust, versus other keyservers or simply managing keys individually?
They are a convenient way to get keys. I use them all the time.
A couple of things in the FAQ are interesting: - Only supports v4 keys - no RSA legacy keys (they get deleted before being posted in the directory)
This is a long-standing whine by PGP types - compatibility issues, basically.
- Verifies keys every 6 months by requiring a clickthru response to emails sent to <[EMAIL PROTECTED]>; only keys with email addr are supported.
See above.
- *Only* signatures from other keys that are also in the Directory are supported: other signatures are removed before being exposed in the Directory. (This one is mildly annoying) I wonder how many out of their claimed 107 signatures on my key will remain after this check.
I'm not sure of the motivation for this one - I'll take it up with the guy in charge if you want.
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
