[EMAIL PROTECTED] writes: > The answer is simple. I cannot publish a PGP under a false name, because if > I did, who would sign it to attest that the genuinely did belong to the > person to whom it claimed to belong? Would you?
> I, personally, would never sign a bogus key. If I ever did find someone who This leads us to a question beyond the subject of this thread (something along the lines of what the meaning of identity is, or what a true name is, and this is not an easy thing on which to reach agreement). I don't think it is necessarily the case that a key is bogus because it doesn't have, say, a birth certificate name on its certificate, but that's my opinion & of course yours is different, and what keys you are willing to trust is a responsibility rightly left to you to decide. > solution, except live with it. Either don't publish your key (which means > that no-one can find your key even if they have a priori knowledge of your > email address), or do (and accept the price in spam). This seems to be the > reality of how it is. This being the case, I am now starting to wonder if it I think there are two false premises here that lead to a faulty conclusion. One is that not publishing your address means no-one can find your encryption key. This is false. Not publishing means that the responsibility for managing that key falls to you and your correspondents. PGP supports key rings and most MUA's have some kind of address book, so previously - seen keys have some opportunity to be remembered. Why is there any interest in publishing in a keyserver in the first place? The second false premise (arguably) is caught in this: "and accept the price in spam". There is certainly a vulnerability in having email addresses in a public archive like keyservers. But is there an actual demonstrated risk? Does anyone have evidence of any kind, other than their opinion? Ours seems to be inconvenient for scraping, but maybe I'm missing something: either you have to have a pretty good idea what you're looking for in the first place, or you have to downloading a very large file and extract the email strings from it. The suggestion to limit the number of matches returned might be useful. Doesn't publishing a key in a keyserver mean you are willing to accept (encrypted) mail from people you do not know? Or maybe, effectively, it means you have to tolerate that as a side effect from whatever other benefit you might derive from the keyserver. How can you instruct a keyserver to only give your email address out to people who send good email and not spam? > might be time to invent a new PGP keyserver protocol which addresses this What would it do? There have been several key servers developed in the past 1-2 years and there has been some activity in drafting up various specs; I 'm having a little trouble laying hands on what the current state is, but you might try http://community.roxen.com/developers/idocs/drafts/draft-shaw-openpgp-hkp-00.html or ftp.ietf.org and look for draft-shaw-openpgp-hkp-00.txt draft-shaw-openpgp-replacementkey-01.txt (but there are other keyservers) and rummaging thru ietf-openpgp wg mailing list http://www.imc.org/ietf-openpgp/mail-archive/maillist.html --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
