At 05:47 PM 6/11/03 -0700, Bill Frantz wrote: >To try to reflect some of David's points with a real-world situation. I >was at work, with a brand new installation of PGP. I wanted to send some >confidential data home so I could work with it. However I didn't have my >home key at work, so I didn't have a secure way to send either the data, or >the work key. I didn't even have the fingerprint of the home key. > >My solution was to pull Carl Ellison's business card out of my pocket. It >had his key fingerprint on it, and I remember getting it directly from him, >so I could trust the fingerprint. Now Carl had signed my key, so when I >downloaded it from the key server, I could verify that it was indeed mine >(to the extent I trusted Carl). Carl's signature, and the key server >allowed me to bootstrap trust into my own key. > > >But with a key server, I didn't have to bother Carl to send me my key. Or >depend on him being online when I needed it.
True, although: 1. you could have had your own key-fingerprint on your own bizcard and done the same. 2. you needn't have had your valid email address there (going back to the spam-thread), perhaps just your regular name. In fact you could have your key on your home server, not in a public server which serves as spambait. Your home server could be "unlisted" by using an alternate port. (I do this to get around ISP blocking, but then I'm not trying to publish papers on my home server.) Or use CGI, or a password mechanism, to deter spam-spiders. The point with spam and publishing your email address is that its like having a public physical storefront: anyone can pay the price of a cigarette to a stream of homeless people to clog your physical store. Or form a huge line if you have bouncers at the door. That's what having a public interface means. 3. I think you also trusted that Carl has not been compromised and re-signed a bogus key *after* he first signed it. (Not picking on Carl here :-) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
