On Tue, 30 Dec 2003 01:12:13 -0500, Lorenzo Prince wrote: >This is true, but with the current GPG tools, it seems much easier, at least to >me, to simply export my key to a keyserver and let anyone import it if needed. >More importantly, if I export my key, most servers sync with the server my key is >posted on so in most cases it doesn't matter what keyserver you use. Automatic downloading of keys makes me wonder what the use of PGP / GPG signing really is. All it will do, in this case, is tell you that the person who sent the message is the person who uploaded the key. Which, in reality, tells you nothing. Yes, I suppose keyservers will only accept one key for one email address (is this true?) so if I'm the one who uploads a key for trevor@xxxxxxxxxxxxxx *FIRST*, then the "real" trevor@xxxxxxxxxxxxxx would be the one posting to this list. But even though I know this (since I'm him), you wouldn't have any proof of it, since you don't know I'm him. Maybe I'm someone pretending to be me and I created a key and started sending emails to this list. Unless you emailed me directly, you'd never know (presumably without much more sophisticated hacking a "fake" trevor wouldn't be able to intercept my email). Or suppose I just created a "slightly faked" domain and address like trevor@xxxxxxxxxxxxx (notice the missing "i" in "haligonian"), created a key, uploaded it and started signing messages. If you auto-download keys then you might never even notice that this is a "new" trevor. If you only get keys manually, you would at least have a little more awareness of some of that spoofing and maybe more direct knowledge of who you're communicating with. -- Trevor Smith | trevor@xxxxxxxxxxxxxx
