Differences between version 24 and predecessor to the previous major change of PGPGlobalDirectory.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 24 | Last edited on Saturday, January 8, 2005 2:54:52 am | by StuartYeates | Revert |
| Older page: | version 23 | Last edited on Thursday, December 23, 2004 9:49:44 am | by DavidShaw | Revert |
@@ -1,31 +1,31 @@
An [OpenPGP] [KeyServer] run by the [PGPCorporation].
-__
Note that the behavious
of the beta has changed oevr
the course of the last week
and that at least a couple of these appear to no longer apply__
+''
Note that the behaviour
of the beta has changed over
the course of the last weeks
and that at least a couple of these appear to no longer apply''
Good points
# Having a convenient place to lookup current, valid keys is a great
A list of issues includes:
# When viewed as a [RobotCA] the [PGPGlobalDirectory] is signifcantly weaker than other [RobotCA]s in that it sends verifications unencrypted and unsigned.
-# The server strips signatures from keys not registered with it. __
Signatures are now reported in the web interface but not included in the download (20/Dec/2004 StuartYeates).__
+# The server strips signatures from keys not registered with it. ''
Signatures are now reported in the web interface but not included in the download (20/Dec/2004 StuartYeates).''
# The server strips revocations from keys and thus happily serves revoked keys sans revocation.
# The server does not appear to provide any method of viewing signatures on the keys it serves.
-# The key used to sign keys is not itself viewable through the server. __
This appears to now be fixed (20/Dec/2004 StuartYeates).__
+# The key used to sign keys is not itself viewable through the server. ''
This appears to now be fixed (20/Dec/2004 StuartYeates).''
# Signatures and keys published on other key servers do not appear to migrate to the [PGPGlobalDirectory], and visa versa.
# Server asks users to sign the directory verification key without any independent verification.
# Signatures issued by the [PGPGlobalDirectory] do not use a policy URL.
# Older versions of [OpenPGP] keys (V3 and previous) are not supported, though this can be regarded as a feature due to various weaknesses with V3 keys.
# Access to a single email account given in a uid for a key permits the key to be removed for email addresses in all uids, without contacting the other email addresses.
-# There appears to be a bug which occurs when a key with multiple uids/emails is replaced with one with a single uid/email which is in turn replaced with the original key. Verification messages are sent to the multiple emails, but only the verification that goes to the email address that was on the single uid/email actually works. The others get a message aobut the verification timing out. __
This appears to now be fixed (20/Dec/2004 StuartYeates).__
-# The timing out of verifications is worrying given the message "No further messages regarding the PGP Global Directory will be sent to this email address unless you choose to participate by providing a verification response to this email." That appears in the verification email. It suggests that if the verification email is lost or times out then the email address is effectly barred from using the keyserver there after. __
This now appears to be fixed (20/Dec/2004 StuartYeates).__
+# There appears to be a bug which occurs when a key with multiple uids/emails is replaced with one with a single uid/email which is in turn replaced with the original key. Verification messages are sent to the multiple emails, but only the verification that goes to the email address that was on the single uid/email actually works. The others get a message aobut the verification timing out. ''
This appears to now be fixed (20/Dec/2004 StuartYeates).''
+# The timing out of verifications is worrying given the message "No further messages regarding the PGP Global Directory will be sent to this email address unless you choose to participate by providing a verification response to this email." That appears in the verification email. It suggests that if the verification email is lost or times out then the email address is effectly barred from using the keyserver there after. ''
This now appears to be fixed (20/Dec/2004 StuartYeates).''
# When it believes a key no longer matches an email address [PGPGlobalDirectory] should issue a revocation for the signature (as well as removing the key).
# [PGPGlobalDirectory] should not multiply sign the same key within a short space of time, as it currently does if a user switches rapidly between two of more keys for an email address. Multiple signing may be acceptable if the current signature is about to expire or has expired (the current signature expiry is set so short it is hard to tell whether this is kicking in already).
# [PGPGlobalDirectory] actively discourages users' self-eductaion about security, [PGP] and [OpenPGP] in general.
# For an approach that is so keen on expiring keys and signatures, it seems odd that the directory verification key does not have an expiry date set.
-# It is not clear whether mirroring, syncing or other facilities are going to be avaliable so that institutions concerned about keyserver requests going outside their intranet can establish a local copy, as they can with other keyserver solutions. __
There are reports that submitting keys to the old PGP servers results in confirmation emails being sent to users through the beta, but I've been unable to reproduce this (20/Dec/2004 StuartYeates).__
-# Searching for a name requires the exact name. "Stuart A Yeates", "Stuart A. Yeates" and "Stuart Andrew Yeates" are considered unrelated names and there is no way to search using a substring. __
This is only true when searching through the web interface. It is not true when searching via GnuPG or the PGPKeys GUI. In these cases (which are actually LDAP searches), substring searches are available. (22/Dec/2004 DavidShaw).__
-# The system is unnecessarily incompatible with existing search tools and systems, particularly with respect to searching for keys.
+# It is not clear whether mirroring, syncing or other facilities are going to be avaliable so that institutions concerned about keyserver requests going outside their intranet can establish a local copy, as they can with other keyserver solutions. ''
There are reports that submitting keys to the old PGP servers results in confirmation emails being sent to users through the beta, but I've been unable to reproduce this (20/Dec/2004 StuartYeates).''
+# Searching for a name requires the exact name. "Stuart A Yeates", "Stuart A. Yeates" and "Stuart Andrew Yeates" are considered unrelated names and there is no way to search using a substring. ''
This is only true when searching through the web interface. It is not true when searching via GnuPG or the PGPKeys GUI. In these cases (which are actually LDAP searches), substring searches are available. (22/Dec/2004 DavidShaw).''
+# The system is unnecessarily incompatible with existing search tools and systems, particularly with respect to searching for keys. ''This is partially fixed by upgrading to the new GnuPG 1.5 release (7/Jan/2005 StuartYeates).''
See: https://keyserver-beta.pgp.com/
There is a critique (in German) at: http://www.heise.de/security/news/meldung/54375
