Differences between version 12 and previous revision of PGPGlobalDirectory.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 12 | Last edited on Thursday, December 16, 2004 3:57:00 am | by StuartYeates | Revert |
| Older page: | version 1 | Last edited on Monday, December 13, 2004 11:25:11 pm | by StuartYeates | Revert |
@@ -1,12 +1,26 @@
An [OpenPGP] [KeyServer] run by the [PGPCorporation].
+
+Good points
+# Having a convenient place to lookup current, valid keys is a great
A list of issues includes:
# When viewed as a [RobotCA] the [PGPGlobalDirectory] is signifcantly weaker than other [RobotCA]s in that it sends verifications unencrypted and unsigned.
# The server strips signatures from keys not registered with it.
# The server does not appear to provide any method of viewing signatures on the keys it serves.
# The key used to sign keys is not itself viewable through the server.
# Signatures and keys published on other key servers do not appear to migrate to the [PGPGlobalDirectory], and visa versa.
# Server asks users to sign the directory verification key without any independent verification.
-# Signatures issued by the [RobotCA
] do not use a policy URL.
+# Signatures issued by the [PGPGlobalDirectory
] do not use a policy URL.
+# Older versions of [OpenPGP] keys (V3 and previous) are not supported.
+# Access to a single email account given in a uid for a key permits the key to be removed for email addresses in all uids, without contacting the other email addresses.
+# There appears to be a bug which occurs when a key with multiple uids/emails is replaced with one with a single uid/email which is in turn replaced with the original key. Verification messages are sent to the multiple emails, but only the verification that goes to the email address that was on the single uid/email actually works. The others get a message aobut the verification timing out.
+# The timing out of verifications is worrying given the message "No further messages regarding the PGP Global Directory will be sent to this email address unless you choose to participate by providing a verification response to this email." That appears in the verification email. It suggests that if the verification email is lost or times out then the email address is effectly barred from using the keyserver there after.
+# When it believes a key no longer matches an email address [PGPGlobalDirectory] should issue a revocation for the signature (as well as removing the key).
+# [PGPGlobalDirectory] should not multiply sign the same key within a short space of time, as it currently does if a user switches rapidly between two of more keys for an email address. Multiple signing may be acceptable if the current signature is about to expire or has expired (the current signature expiry is set so short it is hard to tell whether this is kicking in already).
+# [PGPGlobalDirectory] actively discourages users' self-eductaion about security, [PGP] and [OpenPGP] in general.
+# For an approach that is so keen on expiring keys and signatures, it seems odd that the directory verification key does not have an expiry date set.
+# It is not clear whether mirroring, syncing or other facilities are going to be avaliable so that institutions concerned about keyserver requests going outside their intranet can establish a local copy, as they can with other keyserver solutions.
+# Searching for a name requires the exact name. "Stuart A Yeates", "Stuart A. Yeates" and "Stuart Andrew Yeates" are considered unrelated names and there is no way to search using a substring.
+# The system is unnecessarily incompatible with existing search tools and systems, particularly with respect to searching for keys
.
See: https://keyserver-beta.pgp.com/
