At 05:47 PM 6/11/03 -0700, Bill Frantz wrote:
>To try to reflect some of David's points with a real-world situation.  I
>was at work, with a brand new installation of PGP.  I wanted to send some
>confidential data home so I could work with it.  However I didn't have my
>home key at work, so I didn't have a secure way to send either the data, or
>the work key.  I didn't even have the fingerprint of the home key.
>
>My solution was to pull Carl Ellison's business card out of my pocket.  It
>had his key fingerprint on it, and I remember getting it directly from him,
>so I could trust the fingerprint.  Now Carl had signed my key, so when I
>downloaded it from the key server, I could verify that it was indeed mine
>(to the extent I trusted Carl).  Carl's signature, and the key server
>allowed me to bootstrap trust into my own key.
>
>
>But with a key server, I didn't have to bother Carl to send me my key.  Or
>depend on him being online when I needed it.

True, although: 
1. you could have had your own key-fingerprint on your own bizcard
and done the same.  

2. you needn't have had your valid email address there (going back
to the spam-thread), perhaps just your regular name.  In fact you
could have your key on your home server, not in a public 
server which serves as spambait.  Your home server could be
"unlisted" by using an alternate port.  (I do this to get around
ISP blocking, but then I'm not trying to publish papers on my
home server.)  Or use CGI, or a password mechanism, to deter spam-spiders.

The point with spam and publishing your email address
is that its like having a public
physical storefront: anyone can pay the price of a cigarette 
to a stream of homeless people to
clog your physical store.  Or form a huge line if you have bouncers
at the door.  That's what having a public interface means.

3. I think you also trusted that Carl has not been compromised
and re-signed a bogus key *after* he first signed it.  (Not picking
on Carl here :-)





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to