gpg keyring

Alex Hudson home at alexhudson.com
Sun Apr 15 09:16:07 UTC 2007


On Sat, 2007-04-14 at 22:25 +0100, MJ Ray wrote:
> PaweĊ‚ Madej <nysander at quanteam.pl> wrote: [...]
> > so my question is if the is any reason why some of you do not publish public 
> > keys to some keyserver for example pgp.mit.edu or any other
> 
> Keyservers are horribly broken.  subkeys.pgp.mit.edu (or something
> close to that) is better than most, but it's still more reliable to
> put it on your web page or in a human-maintained keyring.

I agree with you about reliability, but it does suck a bit for searching
- if you just wanted to search for the GPG key for a given e-mail
address, you'd probably have trouble. You end up having to try to find
the person's web page, and then seeing if their key is obviously linked.

What has surprised me is that none of the web meta-data people have
taken this challenge on. It seems utterly obvious, to me, that this is
prime fodder for Friend-of-a-Friend (FOAF), but they don't seem to have
done much: in fact, they support signing FOAF descriptions, but not
specifying keys / key ids - you still have to look keys up in key
servers.

I realise there's an issue with people pretending to be people they're
not, but it doesn't seem to be anything different to key servers except
people trust key servers more often.

FOAF would also have the advantage of being able to publish keyrings
with good structured meta-data, taking advantage of everyone on the
keyring being able to publish the data too.

Cheers,

Alex.




More information about the Discussion mailing list