Differences between version 27 and predecessor to the previous major change of PGPGlobalDirectory.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 27 | Last edited on Tuesday, February 1, 2005 10:47:37 pm | by StuartYeates | Revert |
| Older page: | version 24 | Last edited on Saturday, January 8, 2005 2:54:52 am | by StuartYeates | Revert |
@@ -7,9 +7,9 @@
A list of issues includes:
# When viewed as a [RobotCA] the [PGPGlobalDirectory] is signifcantly weaker than other [RobotCA]s in that it sends verifications unencrypted and unsigned.
# The server strips signatures from keys not registered with it. ''Signatures are now reported in the web interface but not included in the download (20/Dec/2004 StuartYeates).''
-# The server strips revocations from keys and thus happily serves revoked keys sans revocation.
+# The server strips revocations from keys and thus happily serves revoked keys sans revocation. ''The server now correctly refuses to upload revoked keys. (7/Jan/2005 StuartYeates).''
# The server does not appear to provide any method of viewing signatures on the keys it serves.
# The key used to sign keys is not itself viewable through the server. ''This appears to now be fixed (20/Dec/2004 StuartYeates).''
# Signatures and keys published on other key servers do not appear to migrate to the [PGPGlobalDirectory], and visa versa.
# Server asks users to sign the directory verification key without any independent verification.
@@ -22,16 +22,18 @@
# [PGPGlobalDirectory] should not multiply sign the same key within a short space of time, as it currently does if a user switches rapidly between two of more keys for an email address. Multiple signing may be acceptable if the current signature is about to expire or has expired (the current signature expiry is set so short it is hard to tell whether this is kicking in already).
# [PGPGlobalDirectory] actively discourages users' self-eductaion about security, [PGP] and [OpenPGP] in general.
# For an approach that is so keen on expiring keys and signatures, it seems odd that the directory verification key does not have an expiry date set.
# It is not clear whether mirroring, syncing or other facilities are going to be avaliable so that institutions concerned about keyserver requests going outside their intranet can establish a local copy, as they can with other keyserver solutions. ''There are reports that submitting keys to the old PGP servers results in confirmation emails being sent to users through the beta, but I've been unable to reproduce this (20/Dec/2004 StuartYeates).''
-# Searching for a name requires the exact name. "Stuart A Yeates", "Stuart A. Yeates" and "Stuart Andrew Yeates" are considered unrelated names and there is no way to search using a substring. ''This is only true when searching through the web interface. It is not true when searching via GnuPG or the PGPKeys GUI. In these cases (which are actually LDAP searches), substring searches are available. (22/Dec/2004 DavidShaw).''
-# The system is unnecessarily incompatible with existing search tools and systems, particularly with respect to searching for keys.
''This is partially fixed by
upgrading to the new GnuPG 1.5 release (7/Jan/2005 StuartYeates).''
+# Searching for a name requires the exact name. "Stuart A Yeates", "Stuart A. Yeates" and "Stuart Andrew Yeates" are considered unrelated names and there is no way to search using a substring. ''This is only true when searching through the web interface. It is not true when searching via GnuPG or the PGPKeys GUI. In these cases (which are actually LDAP searches), substring searches are available. (22/Dec/2004 DavidShaw).'' ''This is requires
upgrading to the new [
GnuPG]
1.5 release (7/Jan/2005 StuartYeates).''
+# The system is unnecessarily incompatible with existing search tools and systems, particularly with respect to searching for keys.
See: https://keyserver-beta.pgp.com/
There is a critique (in German) at: http://www.heise.de/security/news/meldung/54375
There is a discussion (in English) at: http://lists.gnupg.org/pipermail/gnupg-users/2004-December/thread.html#23841
+
+To see what a key sign by this looks like, see http://pgpkeys.pca.dfn.de:11371/pks/lookup?search=0x8836C97C&fingerprint=on&op=vindex Notice in particular the many signatures with short expiry dates with new signatures automatically issued a day before the old signature expires.
!!These guys sent me an email, what do I do?
This is probably the result of someone sending your key to the old pgp keyserver (think <code>gpg --keyserver keyserver.pgp.com --send ....</code>). If you intend to regularly communicate with PGP users in the commercial world you best bet is probably to get on the key server. It's really your personal choice. The email sent by PGP times out very quickly, so you may have to use the web interface.
