[JDEV] PGP / Public Key retrieval

Max Horn max at quendi.de
Tue Oct 10 11:05:53 CDT 2000 

At 11:43 Uhr -0400 10.10.2000, Peter Millard wrote:
>I've already looked at dealing w/ PGP inside of Winjab and have thought
>about this and discussed it at some length w/ jer + others..
>
>The big IMPORTANT thing about passing key's around is "authenticity" of the
>actual key. This is the entire reason that key servers exist... so that just
>'anyone' can't send you a public key since you have no way of "knowing" that
>the other "end" of the Jabber connection isn't a hacker/spoofer/etc..
>
>The Public key servers are "trusted authorities" so that we both trust the
>server, thus, we can "safely" exchange public keys with it.
>
>IMO, the ONLY way that a Jabber client should fetch keys is by doing it
>through an existing public key server.. or force the user to use the PGP/GPG
>key utilities to find the key first, and just use the existing key ring.
>
>Temas - am I on the right track here?? :) We talked about this @ OSS and
>this is what I remember from that discussion.


I completly disagree! Keyservers are *not* "trusted authorities" ! 
You misunderstood the PGP principle IMHO.

Keysevers can be victims of spoof attacks etc. just like anyone else. 
In addition, anyone can put a key on a keyserver, faked as well as 
real keys. (Faked meaning: they bear an email address that doesn't 
match the real creator).


The only two ways to validate a key is 1) you get the key from 
someone you can trust in a *physically* way (e.g. on a disk) or 2) 
the key is signed by some (or better more) keys which are already 
trusted by you. This is how CAs work: they sign your key (marking it 
as trusted & valid) only when you can physically proof it is yours. 
Since you got the public key of the CA you can be sure other keys 
signed by that CA a valid (if you trust them is something else, but 
you can be sure the email/name on the key are correct).


Bye,

Max
-- 
-----------------------------------------------
Max Horn
International C/C++/Internet Development

email: <mailto:max at quendi.de>
   web: <http://www.quendi.de>
phone: (+49) 2621-188947

More information about the JDev mailing list