On Sun, 2010-08-22 at 14:04 +0200, Arnold wrote: > On 08/22/2010 03:54 AM, C.J. Adams-Collier KF7BMP wrote: > > On Sat, 2010-08-21 at 22:37 +0200, Christoph Anton Mitterer wrote: > >> On Mon, 2010-08-09 at 12:54 -0400, C.J. Adams-Collier wrote: > >>> Cool. Could you sign something for me so's I have a relatively strong > >>> indication that you own the pub key I will associate with the server? > >>... > >> What I did,... and what should be even a better prove that the key > >> belongs to the owner of the server is: > >> > >> I've added a file at: > >> http://scientia.net/adams-collier.keyinfo > >> which contains the fingerprint + my name. > >> ... > > No. And I advise all others to avoid peering with you until you can > > prove that you own the private key that will be associated with the > > keyserver. > > Why?
Because none of the information provided indicates in any way that the private key corresponding with the public key provided is under Chris' control. > Keys and certificates identify persons, not ownership of a server. Whether > or not you trust the signers of the key or certificate is up to you. > > For the server, all he can do is prove he has sufficient access rights > (which he offered and is also inherent to modifying the membership file). Or > you can contact the domain owner offline (using WHOIS information). > > But then, why won't you peer with an anonymously operated server? In some > countries that might be necessary. After all, each public key a key server > provides, should initially be regarded as 'untrusted'. http://apps.leg.wa.gov/rcw/default.aspx?cite=19.34&full=true#19.34.400 (1) The secretary must recognize one or more repositories, after finding that a repository to be recognized: ... (d) Contains no significant amount of information that is known or likely to be untrue, inaccurate, or not reasonably reliable; I interpret this to mean that I need to perform some amount of identity verification of the operator of each keyserver with which I peer. > The only thing I'm interested in is if the server is operated by a > sufficiently skilled administrator. Something certificates won't tell. > > > > http://apps.leg.wa.gov/rcw/default.aspx?cite=19.34.210 > > This is a national law / ruling applicable to just one country. It is > useless in the rest of the world (ref. art. 3a, for example) and not > applicable to PGP-keys, as they are not depending on a certification > authority to be valid for the user. All of this is correct. However, the advice is generally applicable to signing- and trust-related activities. > Arnold Cheers, C.J.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel