New Global Directory of OpenPGP Keys 234
Gemini writes "The PGP company just announced a new type of keyserver for all your OpenPGP keys. This server verifies (via mailback verification, like mailing lists) that the email address on the key actually reaches someone. Dead keys age off the server, and you can even remove keys if you forget the passphrase. In a classy move, they've included support for those parts of the OpenPGP standard that PGP doesn't use, but GnuPG does."
Re:FPCP (Score:4, Informative)
The combination of this and (nigerian) spammers that actually respond to my challenge-response authentication is getting me very pissed off about spammers.
Re:PGP's defaults are the real problem. (Score:1, Informative)
that way, if you lose the secret key or the password for it, you can issue the revocation to let people know the key is no longer in use.
A good writeup of pgp and enigmail setup is available here:
http://enigmail.mozdev.org/gpgconf.html [mozdev.org]
Re:FPCP (Score:5, Informative)
Will I get spam if I use the PGP Global Directory?
No. Searches of the PGP Global Directory are limited to one (1) response, thus making gathering email addresses from the PGP Global Directory one of the least-effective ways of harvesting email addresses for spammers.
Re:Can a central repository bring security? (Score:5, Informative)
Not unless you're amazingly trusting of the repository. Read up on the "web of trust" and how to personally verify the keys you're using to send messages.
For example, my pubkey has been signed by several friends, and I have signed their pubkeys in kind. If I get a signed email from Charlie (whom I don't know), but his pubkey has been signed by Bob (whom I do know) using his key that I myself signed, then there is a direct path of trust between Charlie and me. If I believe that Bob is an honest guy who wouldn't have signed Charlie's key without personally verifying his identity, then I have cause to that key.
It's hard to explain the web of trust without making it sound more complicated than it really is. It's somewhat analogous to a friend introducing you to a person you've never met before. If your friend is very gullible, then you won't put much confidence in the ID of the person they're introducing. If your friend is, say, a loan officer who just spent the last month vetting the new person's identity, then you can be reasonably sure that they're giving you accurate information about that person.
Which brings us back to your question. If you're corresponding with a new contact with no trust pathway to that person, then you have exactly zero reason to believe in their identity simply because they were able to download GnuGP and create a new key. However, if that new person's key was signed by Alice, whose key was signed by Charlie, whose key was signed by Bob, whose key was signed by you, then you have at least some reason to think they're who they say they are.
There is no real concept of blindly trusting a new person in real life. GnuPG does not magically change this.
OpenPGP set to become global standard (Score:4, Informative)
http://www.itweek.co.uk/news/1118258
Re:OpenLDAP keyserver? (Score:2, Informative)
Re:Can a central repository bring security? (Score:4, Informative)
In Alice and Bob explanations, the C party is usually Carol.
Here's a wiki entry that discusses real life as it applies to cryptography. Its arguements parellel and support some of yours nicely, while also explaining Carol, Dave, and the others.
http://en.wikipedia.org/wiki/Alice_and_Bob/ [wikipedia.org]
Re:Widespread Crypto Revolution? (Score:3, Informative)
Re:whitelists? (Score:3, Informative)
Thank god there aren't PCI cards that offload crypto.
Re:..future for PGP? YES! Here's moreResources!?!? (Score:4, Informative)
(Sent this a few days ago to my ISP and family members - thought it might be useful to some
=Cy [xdi.org]
Do consider Thunderbird
http://www.mozilla.com/products/thunderbird/
http://www.mozilla.com/products/thunderbird/why/
for both yourself and your clients. It's really a wonderful product
and has spam handling built right in. Unlike Outlook(TM) it is open
about where it keeps your email (not hidden and difficult to export)
and is not so susceptible to worms and email nastiness such as scripts
that run without hindrance. Many a spyware app has been installed
further contributing to the spam problem due to people running just
that piece of software. Don't help the spammers. Reclaim your inbox.
It supports Enigmail: ( email envelopes you don't have to lick! )
http://enigmail.mozdev.org/
http://www.moztips.com/index.php?id=87
http://dudu.dyn.2-h.org/nist/gpg-enigmail-howto.ph p
I've attached my public key [ 0xYOUR_FINGERPRINT ]. I prefer to receive
secure mail. I've got nothing to hide, but I don't like using
postcards for all my USPS correspondence either. Regular email is
like using postcards on the internet. Any postal worker along the way
can take a look ( have a look at email "headers" sometime; every hop
you see is a place where your email is stored on a hard drive. )
Please use an envelope when communicating with me. Won't even cost
you a stamp. I value your privacy as much as I hope you value mine.
Privacy tool for Windows: (supports Eudora, Outlook, Clipboard)
http://winpt.sf.net
There's no need to keep my public key a secret. Feel free to give
it away or put it on a telephone pole; write it in the sky if you'd
like. It's available on the web. The more people that have it the
better. Use it to seal your envelopes when sending me mail. I've got
the only other matching key (my private key, opposite the public key
I've given to you) that allows me to unlock the envelope. You can
even lock an envelope so that multiple people can unlock it on their
own, but nobody else can read what you've sent them.
You can also find keys for me here:
http://www.biglumber.com
Please try it out. Be glad to help you get started.
If you haven't heard of the Firefox web browser yet
http://www.mozilla.org/products/firefox/
download it and check it out. Then look into the Extensions under
tools. Fast, far more secure than IE and extremely standards
compliant. Lots of tricks up it's sleeve in the way of Extensions,
themes, etc. Introducing this to your clients might be worthwhile as
well. The less spam and junk they've got clogging up their machines,
the less you'll pay for bandwidth, etc. Worth a look.
Thunderbird will import from Outlook. They just had a major release.
Even though this is version 1.0 it's not like a "typical" 1.0 release.
In the opensource world projects often start out with very low version
numbers. It's not uncommon to see something like v0.3.22 for very
usable and extremely bug free pieces of software.
Anyway it's really nice - though it doesn't have the calendar and palm
integration. That you'll need to weigh. Mom however doesn't need to
be on outlook....
=====[ http://www.mozilla.org/products/thunderbird/releas es/ ] =======
Comprehensive Mail Migration from other Mail Clients
Switching to Thunderbird has never been easier since Thunderbird can
now migrate all of your email data including settings, mail folders
Re:What unshared features? (Score:3, Informative)
Little stuff that can be annoying if you suddenly are incompatible. OpenPGP allows multiple photo IDs per key, and PGP only allows one. OpenPGP allows subkeys that can make signatures or encrypt, and PGP only allows subkeys that can encrypt. Stuff like that.
These things are part of keys, and if the keyserver is written to assume PGP-generated keys, it might not support them.
Re:whitelists? (Score:1, Informative)