[JDEV] PGP / Public Key retrieval

mark at mjwilcox.com mark at mjwilcox.com
Tue Oct 10 21:18:13 CDT 2000

Problems of CA's in general aside, the bigger issue is using PGP. 
PGP is a great system, but how are you going to get people to 
sign up with existing PGP key servers? In particular the masses of 
people who you want to use the system? If you're only concerned 
with talking with hackers, then PGP is fine.

But to the masses (who don't really care about security in the first 
place, yes they want to be secure,but they don't want to deal with 
it), it's got to be dirt simple. 

Thus you need a commercial infrastructure for it like Verisign (the 
MS monopoly of the 21st century), where I can go, give them $20 
and my credit card number & presto I have a digital certificate 
which I can use to authenticate to Web sites, sign email, and 
perhaps even sign Jabber.

Plus there are products like Netscape's Certificate server, Verisign 
Onsite and openSSL/openCA which allow organizations to manage 
their own certificates. 

It's a lot more than just picking a cool protocol. I've been managing 
certificates (it's a natural outgrowth of being a LDAP guru and 
webmaster) at a large organization for a long time now. Certificates 
aren't perfect, but it's easier IMHO to do this with existing 
infrastructure like X509 than PGP, in particular if you're looking at a 
broader, commercial market.


On 10 Oct 00, at 18:05, Max Horn wrote:

> At 11:43 Uhr -0400 10.10.2000, Peter Millard wrote:
> >I've already looked at dealing w/ PGP inside of Winjab and have thought
> >about this and discussed it at some length w/ jer + others..
> >
> >The big IMPORTANT thing about passing key's around is "authenticity" of the
> >actual key. This is the entire reason that key servers exist... so that just
> >'anyone' can't send you a public key since you have no way of "knowing" that
> >the other "end" of the Jabber connection isn't a hacker/spoofer/etc..
> >
> >The Public key servers are "trusted authorities" so that we both trust the
> >server, thus, we can "safely" exchange public keys with it.
> >
> >IMO, the ONLY way that a Jabber client should fetch keys is by doing it
> >through an existing public key server.. or force the user to use the PGP/GPG
> >key utilities to find the key first, and just use the existing key ring.
> >
> >Temas - am I on the right track here?? :) We talked about this @ OSS and
> >this is what I remember from that discussion.
> I completly disagree! Keyservers are *not* "trusted authorities" ! 
> You misunderstood the PGP principle IMHO.
> Keysevers can be victims of spoof attacks etc. just like anyone else. 
> In addition, anyone can put a key on a keyserver, faked as well as 
> real keys. (Faked meaning: they bear an email address that doesn't 
> match the real creator).
> The only two ways to validate a key is 1) you get the key from 
> someone you can trust in a *physically* way (e.g. on a disk) or 2) 
> the key is signed by some (or better more) keys which are already 
> trusted by you. This is how CAs work: they sign your key (marking it 
> as trusted & valid) only when you can physically proof it is yours. 
> Since you got the public key of the CA you can be sure other keys 
> signed by that CA a valid (if you trust them is something else, but 
> you can be sure the email/name on the key are correct).
> Bye,
> Max
> -- 
> -----------------------------------------------
> Max Horn
> International C/C++/Internet Development
> email: <mailto:max at quendi.de>
>    web: <http://www.quendi.de>
> phone: (+49) 2621-188947
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev

Mark Wilcox
mark at mjwilcox.com

More information about the JDev mailing list