On Tue, 2007-04-10 at 21:11 +0200, Magnus Holmgren wrote:
>
> You're wrong. My public key is available from the standard keyserver network.
> wwwkeys.*.pgp.net, pgp.mit.edu, search.keyserver.net, and other servers that
> exchange keys with them. And it's signed by several people too.
Except that there's no way to securely verify that this key was
submitted by *you*. I can submit a key to the key server networks too,
and claim it belongs to Magnus Holmgren. And have it signed by several
other keys I hack up. (I was briefly considering doing that and signing
this e-mail with it to bring the point home, but that would have been
very bad karma.) In fact, a good percentage of the keys on the public
key servers are now believed to be fake, especially those claiming to
belong to well-known persons. And some of them have even been signed by
real people who didn't know better, and replied to "please sign my key"
requests.
http://www.cymru.com/gillsr/documents/pgp-key-verification.htm
A dual key signing system is only valuable if the public key can be 100%
trusted to come from the person it claims to be coming from, and the
private key is kept 100% safe. If either condition can't be fulfilled,
it's slightly worse than useless. Mostly it's used with no purpose
whatsoever except to say "look what I can do".
Regards,
--
*Art