[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Fake keys and removal thereof
|
From: |
Phil Pennock |
|
Subject: |
Re: [Sks-devel] Fake keys and removal thereof |
|
Date: |
Wed, 3 Jul 2013 19:39:56 -0400 |
On 2013-07-03 at 02:55 -0400, NimbleSec SKS Admin wrote:
> I have a couple of quick noobish questions...
>
> I noticed this tweet:
> https://twitter.com/abditum/status/352271467196588035
> Aside from asking the keyservers to remove a fraudulent key, is there
> any other recourse for someone in this kind of situation?
I _could_ sweeten how I say this, but fundamentally the point stands:
your recourse is to learn a little of the core concepts, to understand
what's going on.
There's "object security" and "container security". The PGP keyservers
hold keys and updates from anyone, so the existence of a key in the PGP
keyservers means nothing except that it's there. The PGP security model
is based on the "Web of Trust".
An attitude of "The key exists on keyservers: it must be good!" is
flawed and trying to change the keyservers to make that attitude safe is
not feasible and will only result in disappointment and acrimony.
Instead, just think of the keyservers as a big pool, with gold nuggets
and excrement both floating around in it. You can get out any key, you
can search for any key, and anyone can put anything they want into it,
with any name on it they want.
Attend a PGP keysigning party, start building up trust links, try to get
your key into the Strong Set. These will help you tell which lumps are
gold nuggets.
http://www.gnupg.org/gph/en/manual.html
http://pgp.cs.uu.nl/plot/
http://www.phildev.net/pgp/ (not me, a different Phil)
-Phil