On Wed, Feb 27, 2002 at 02:11:20PM -0500, Sumit Dhar wrote: > We are planning to set up our own keyserver so what we can > digitally sign and encrypt our mails. Ideally users would be using > either pgp or gnupg. > > 2. How compatible are gnupg and pgp?
I can verify your signature on this message. :-) In short, very. > 3. Lastly, anyone can send their keys to the keyserver. How does the > keyserver authenticate that [EMAIL PROTECTED] is really X and not some > impersonator?? Or is that beyond the jurisdiction of the key server? > Does the key server also act as some sort of Certification Authority?? > If no, how can I integrate these two functions? It doesn't do any authentication. The normal trust model is only trusting keys that you select to trust and maybe a few layers out (you trust that a few of your friends to sign someone else's key and check to make sure its legit, so you would trust those keys if you seen them). I think in this situation, you should probably have a person with a certain key in charge of signing new keys (after they have been properly verified), and having everyone sign (and therefore trust) that key. That's all a CA really does any. The only proof of identity they require is to pay them a lot of money. Or, you can use the web-of-trust model, and have people sign keys when they meet and verify employee ID cards. That way, a problem with one key (someone screwing up and letting their private key out happens), won't bring down the entire system. Or, if you are using a private keyserver, you can log whoever puts keys up there from what IP address, and make sure yo have logs in case someone does something nasty. If your volume is high, it might not work exactly this way. Someone who I traded signatures with recently would not sign mine until he sent me an encrypted and signed message with a salt in it, that I was to send back to him, encrypted and signed. That would at least prove a key has legitimate contact info and fingerprint for at least that period of time. Your level of authentication may vary. You don't even need to use a private keyserver. The advantage of getting your keys out on the net is that it can facilitate the same trust levels on a larger scale. Rob
msg04360/pgp00000.pgp
Description: PGP signature
