Thanks for the bug report. We appreciate your help in fine-tuning the
language in the verification emails of the beta test of the PGP Global
Directory. We noticed this one, ourselves, and put out an improvement
to it on Tuesday. Please check it over and see what you think of the
improved version.
If you would like to send bug reports to us directly, please feel free
to send them to [EMAIL PROTECTED] Cypherpunks and Cryptography are both
inefficient ways to get them to us, as Cryptography waits for Perry to
approve the post, and Cypherpunks waits for Bob Hettinga to forward it.
However, the Global Directory does not consolidate information from any
other keyservers. It is a replacement for the old keyserver,
keyserver.pgp.com, and will take over that venerable old server's job
once beta test is concluded. We are, however, migrating a number of
keys from the old keyserver to that one.
Think of the new keyserver as a mix between traditional keyservers,
mailing list servers like mailman, and a robot CA. Its intent is to
improve upon the older keyservers by giving some modicum of assurance
that keys in it belong to someone, as well as allowing someones to
recover from forgetting their passphrase.
Jon
On 16 Dec 2004, at 7:13 AM, R.A. Hettinga wrote:
--- begin forwarded text
Date: Thu, 16 Dec 2004 05:50:22 -0500
From: Adam Back <[EMAIL PROTECTED]>
To: Cypherpunks <[EMAIL PROTECTED]>
Cc: Cryptography <[EMAIL PROTECTED]>
Subject: pgp "global directory" bugged instructions
User-Agent: Mutt/1.4.1i
Sender: [EMAIL PROTECTED]
So PGP are now running a pgp key server which attempts to consilidate
the inforamtion from the existing key servers, but screen it by
ability to receive email at the address.
So they send you an email with a link in it and you go there and it
displays your key userid, keyid, fingerprint and email address.
Then it says:
| Please verify that the email address on this key, [EMAIL PROTECTED],
| is your email address, and is properly configured to send and
| receive PGP secured email.
|
| If the information is correct, click 'Accept'. By clicking 'Accept',
| your key will be published to the directory, where other PGP users
| will be able to retrieve it in order to encrypt messages to you and
| verify signed messages from you.
|
| If this information is incorrect, click 'Cancel'. By clicking
| 'Cancel', this key will not be published. You may then submit
| another key with the correct information.
So here's the problem: it does not mention anything about checking
that this is your fingerprint. If it's not your fingerprint but it is
your email address you could end up DoSing yourself, or at least
perpetuating a imposter key into the new supposedly email validated
keyserver db.
(For example on some key servers there are keys with my name and email
that are nothing to do with me -- they are pure forgeries).
Suggest they add something to say in red letters check the fingerprint
AND keyid matches your key.
Adam
--- end forwarded text
--
-
R. A. Hettinga
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
--
Jon Callas
CTO, CSO
PGP Corporation Tel: +1 (650) 319-9016
3460 West Bayshore Fax: +1 (650) 319-9001
Palo Alto, CA 94303 PGP: ed15 5bdf cd41 adfc 00f3
USA 28b6 52bf 5a46 bc98 e63d
--
Jon Callas
CTO, CSO
PGP Corporation Tel: +1 (650) 319-9016
3460 West Bayshore Fax: +1 (650) 319-9001
Palo Alto, CA 94303 PGP: ed15 5bdf cd41 adfc 00f3
USA 28b6 52bf 5a46 bc98 e63d
This message could have been secured by PGP Universal. To secure
future messages from this sender, please click this link:
https://keys.pgp.com/b/b.e?r=cypherpunks%40minder.net&n=NsqztWUvWFO%2Be83dnF4HAw%3D%3D
