RE: Keyservers and Spam

At 10:02 AM -0700 6/15/03, David Honig wrote: >At 03:41 PM 6/13/03 -0700, Bill Frantz wrote: >> >>The HighFire project at Cryptorights >> is planning on building a >>"web of trust" rooted in the NGOs who will be using the system. Each NGO >>will have

RE: Keyservers and Spam

At 03:41 PM 6/13/03 -0700, Bill Frantz wrote: > >The HighFire project at Cryptorights > is planning on building a >"web of trust" rooted in the NGOs who will be using the system. Each NGO >will have a signing key. A NGO will sign the keys of the peo

RE: Keyservers and Spam

At 11:56 AM 6/13/2003 -0400, John Kelsey wrote: The thing that strikes me is that the PGP web of trust idea is appropriate for very close-knit communities, where reputations matter and people mostly know one another. A key signed by Carl Ellison or Jon Callas actually means something to me, bec

RE: Keyservers and Spam

At 2:35 PM -0700 6/13/03, Pat Farrell wrote: >At 11:56 AM 6/13/2003 -0400, John Kelsey wrote: >>At 10:27 AM 6/11/03 -0700, bear wrote: >>>That is the theory. In practice, as long as the PGP "web of trust" >> >>The thing that strikes me is that the PGP web of trust idea is appropriate >>for very cl

RE: Keyservers and Spam

At 11:56 AM 6/13/2003 -0400, John Kelsey wrote: At 10:27 AM 6/11/03 -0700, bear wrote: That is the theory. In practice, as long as the PGP "web of trust" The thing that strikes me is that the PGP web of trust idea is appropriate for very close-knit communities, where reputations matter and people

RE: Keyservers and Spam

At 10:27 AM 6/11/03 -0700, bear wrote: ... That is the theory. In practice, as long as the PGP "web of trust" depends on connections made through signers not personally known to the person depending on the security, it hardly works. There is very little verification done in the web of trust, not

RE: Keyservers and Spam

At 09:19 AM 6/11/03 +0100, [EMAIL PROTECTED] wrote: ... I observe that "confirmation" of the fingerprint by phone is worthless unless the recipient is able to recognise my voice. In the case of a stranger, that won't be the case. It's not quite worthless, as it raises the cost of the attack quite a

RE: Keyservers and Spam

At 8:58 AM -0700 6/12/03, David Honig wrote: >At 05:47 PM 6/11/03 -0700, Bill Frantz wrote: >>To try to reflect some of David's points with a real-world situation. I >>was at work, with a brand new installation of PGP. I wanted to send some >>confidential data home so I could work with it. Howev

RE: Keyservers and Spam

At 05:47 PM 6/11/03 -0700, Bill Frantz wrote: >To try to reflect some of David's points with a real-world situation. I >was at work, with a brand new installation of PGP. I wanted to send some >confidential data home so I could work with it. However I didn't have my >home key at work, so I didn'

RE: Keyservers and Spam

To try to reflect some of David's points with a real-world situation. I was at work, with a brand new installation of PGP. I wanted to send some confidential data home so I could work with it. However I didn't have my home key at work, so I didn't have a secure way to send either the data, or th

RE: Keyservers and Spam

At 10:27 AM 6/11/2003 -0700, bear wrote: I don't particularly like the commercial certs, but the thousand bucks or so ought to serve as a "bond", in that if people untrust the keys, there is real value that will be lost. That makes it require some expenditure of resources to grab a new nym. Howev

RE: Keyservers and Spam

On Tue, 10 Jun 2003 [EMAIL PROTECTED] wrote: > >> -Original Message- >> From: David Honig >> Sent: Monday, June 09, 2003 6:42 PM >> To: [EMAIL PROTECTED]; [EMAIL PROTECTED] >> Subject: Re: Keyservers and Spam >> >> Why not publish your key

RE: Keyservers and Spam

t thinking it through a bit more thoroughly. Jill -Original Message- From: Jill Ramonsky Sent: Wednesday, June 11, 2003 9:20 AM To: [EMAIL PROTECTED] Subject: RE: Keyservers and Spam > From: David Honig > Sent: Tuesday, June 10, 2003 11:53 PM > Subject: RE: Keyservers and Spam

RE: Keyservers and Spam

> From: David Honig > Sent: Tuesday, June 10, 2003 11:53 PM > Subject: RE: Keyservers and Spam > > You email your key to those who justify the request. In plaintext, > or on the phone. What is the problem with that? The possibility of a MITM attack. I observe that &qu

RE: Keyservers and Spam

At 12:43 PM 6/10/03 -0400, Jeffrey Kay wrote: >number (which I now use Call Intercept to avoid telephone solicitors). But for privacy reasons, some folks will not automatically forward their phone number. You either deny them access or require them to jump through extra hoops (redial w/ special

RE: Keyservers and Spam

At 04:54 PM 6/10/03 +0100, [EMAIL PROTECTED] wrote: >> From: David Honig >> Why not publish your key under a bogus name that goes no-where? > >The answer is simple. I cannot publish a PGP under a false name, because if >I did, who would sign it to attest that the genuinely did belong to the >pers

RE: Keyservers and Spam

The solution to this problem is simple. We want to be able to look up keys on the key servers by email address or user name or keyid. But we don't want the system to be useful for spam harvesting. Simply require that lookups be by valid email address or user name. Eliminate the wildcard searching

Re: Keyservers and Spam

[EMAIL PROTECTED] writes: > The answer is simple. I cannot publish a PGP under a false name, because if > I did, who would sign it to attest that the genuinely did belong to the > person to whom it claimed to belong? Would you? > I, personally, would never sign a bogus key. If I ever did find some

RE: Keyservers and Spam

At 04:54 PM 6/10/2003 +0100, [EMAIL PROTECTED] wrote: > -Original Message- > From: David Honig > Sent: Monday, June 09, 2003 6:42 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Keyservers and Spam > > Why not publish your key under a bogus name that goes

RE: Keyservers and Spam

al Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, June 10, 2003 11:54 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Keyservers and Spam ... > So ... if you believe (as I do) that a PGP key is &

RE: Keyservers and Spam

> -Original Message- > From: David Honig > Sent: Monday, June 09, 2003 6:42 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Keyservers and Spam > > Why not publish your key under a bogus name that goes no-where? The answer is simple. I cannot publis

Re: Keyservers and Spam

On Mon, 9 Jun 2003 [EMAIL PROTECTED] wrote: > Hi, > > It seems to me that the possibilty that spammers might harvest PGP > keyservers for email addresses is a serious disincentive to using > keyservers. Does anyone have any thoughts on this? > There are plenty of sources from which harvest email

Re: Keyservers and Spam

At 11:51 AM 6/9/03 +0100, [EMAIL PROTECTED] wrote: >Hi, > >It seems to me that the possibilty that spammers might harvest PGP >keyservers for email addresses is a serious disincentive to using >keyservers. Does anyone have any thoughts on this? Why not publish your key under a bogus name that goe

Re: Keyservers and Spam

[EMAIL PROTECTED] writes: > My first thought is to generate a new (secure) email address which includes > the old (insecure) address as a substring (for example > "[EMAIL PROTECTED]"). Will this work? I don't know enough about > keyservers to know the answer to that one. I don't know about all pgp

RE: Keyservers and Spam

olume is not going to be crippling". Roughly how much volume are we talking about here? Jill -Original Message- From: Peter Clay [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 4:14 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Keyservers and Spam On Mon, 9 J

Re: Keyservers and Spam

On Mon, 9 Jun 2003 [EMAIL PROTECTED] wrote: > Hi, > > It seems to me that the possibilty that spammers might harvest PGP > keyservers for email addresses is a serious disincentive to using > keyservers. Does anyone have any thoughts on this? Solution: Have two addresses, a "secure" and "non-sec