On Sat, 2009-07-11 at 00:49 +0000, g wrote: > another reason, at least as i was told, key servers do not verify who > submits a key is actual owner of address. The whole point of PGP-style signatures is the "web of trust". If you don't get someone's public key directly from them (e.g. at a key-signing party) or from an intermediary that you both trust sufficiently, you basically know nothing about the sender. The point of key servers is not to verify anything, it's to make keys easily accessible. Using a public key and not putting it on a key server means a random reader can't even verify that a succession of messages were signed with the same key (the only info in the signature itself is the Key ID, which is fakable with enough effort). Putting it on a key server without an independant verification channel does at least allow a motivated reader to check with high confidence that a bunch of messages use the same key, but doesn't allow them to check if they were signed by the correct person. And in conclusion: the use of signatures (even registered ones) on large, essentially anonymous, mailing lists is at best debatable. What exactly do people expect to gain from this? Signatures were invented in large part to allow integrity and non-repudiation of messages. If I see a message purportedly from myself on this list and I didn't send it, I'll be very quick to repudiate it. Has this ever happened in anyone's memory? poc PS I highly recommend a Stanford paper from a few years back, entitled "Why Johnny Can't Encrypt". Google for it, it's very illuminating. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
