Re: [Sks-devel] new keyserver online

[C.J. Adams-Collier KF7BMP]

No offense intended.  However, this is actually slightly more than zero indication that the key belongs to you.  The only indication you have given is that you have control over the email address listed in the pubkey.  My friends very often have their email accounts hacked and I receive mail from spammers pretending to be them.  The fact that you refuse to prove that you own the private key is a strong indication that you do not own it.  Generating a signed message is as simple as this:

$ echo "I really do own the key" | gpg --clearsign

You need a passphrase to unlock the secret key for
user: "C.J. Adams-Collier <address@hidden>"
1024-bit DSA key, ID 176BE946, created 2008-03-02 (main key ID BA27A83C)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I really do own the key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREIAAYFAkxxNs4ACgkQXKBS0hdr6UYcfwCcCpcwrtsIzJh979D+ELsmHqPc
J5oAnA6faHMKoI8OyR+EEO1cHblZNVtr
=muZK
-----END PGP SIGNATURE-----
Tada :)

On Sun, 2010-08-22 at 14:04 +0200, Christoph Anton Mitterer wrote:
> Hey...
>
> Oh my goodness...
>
>
> Now listen:
>
> On Sat, 2010-08-21 at 18:54 -0700, C.J. Adams-Collier KF7BMP wrote:
> > No.  And I advise all others to avoid peering with you until you can
> > prove that you own the private key that will be associated with the
> > keyserver.
> I was already willing to put some effort into giving you strong
> indication, that my key belongs to the owner of my keyserver as you
> wanted.
>
> If I'm not missing something substantially (and I don't think so) there
> is really nothing which you'd gain from this anyway.
> If I send you some encrypted challenge or vice versa, you have neither a
> proof that I'm actually "Christoph Anton Mitterer" but only that the
> owner of that key has access to that email address (which an attacker
> can have easily too, via MiM-attacks).
>
> It neither proves you that the owner of that key is really the owner of
> that keyserver, also because of easily possible MiM-attacks.
>
> Obviously you're missing some fundamental parts of how cryptosystems
> (and especially the keyserver infrastructure works).
> The later is not secured anyway as you can understand from this thread:
> http://www.imc.org/ietf-openpgp/mail-archive/msg30930.html
>
>
> > http://apps.leg.wa.gov/rcw/default.aspx?cite="">
> You might have noticed (e.g. using whois on my IP addresses) that I'm
> not living in the state of Washington and not even in the US.
> I show's quite some arrogance that you seem to have the impression, that
> this law or whatever it is, might have some effect in Europe or Germany.
>
> Apart from the fact, that it seems to be about "licensed certificate
> authorities".
> No keyserver is a CA...
>
>
> So next time before making any "unpolite" public statements, please
> think twice,.. (or better three times).
>
>
> Cheers,
> Chris.
>
> btw: Of course you're still free to decide with which keyserver you want
> to peer, which I did now.

signature.asc
Description: This is a digitally signed message part