Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

One thing that I found out when starting using PGP: When I uploaded my keys to t

ID: 654842 • Letter: O

Question

One thing that I found out when starting using PGP: When I uploaded my keys to the SKS keyserver, the keyserver did not take any action to verify that I am who I claim to be.

Since a PGP key contains a email adress, at least, the keyserver could have sent an email with an link inside that must be clicked for the key to become live on the keyserver. Then you atleast know that the person who uploaded the PGP key, does atleast Control the email adress he claims to own.

Why does not PGP keyservers verify the ownership of the claimed email account?

Yes, I do understand the web of trust system, but doing a simply automated "Click this link to make your key go live on the key servers" would at least require any impostor to have access to the email account, and such a system could be implemented on keyservers with only a few lines of code.

Another thing I dont know, is how do people verify other's claimed email at Key signing parties? At key signing parties, people show their ID card. But there are no email addresses on the ID card. Yes today with the smartphone evolution, you could send a email to the claimed email address and ask the other person to read it out loud, but how did people do at KSP's when smartphones were not a big thing and you didn't have access to the email account for the moment on the KSP? Especially with email accounts that are behind firewalls, eg Corporate or ISP accounts that can only be used inside the authorized network?

Explanation / Answer

's very important to understand that OpenPGP keyservers are not certificate authorities. They are not responsible for key verification. OpenPGP employs a decentralized trust model, so it's the user's job to verify a key either by directly checking the fingerprint or by using the web of trust (like you already said).

When people use keyservers to download a key for a given e-mail address without any further validation, they fundamentally misunderstand the trust model of OpenPGP. That's not the keyserver's fault.

Of course keyservers could introduce basic verification to reduce to amount of garbage keys. However, this would further blur the line between keyservers and CAs, and it might create a false sense of security. The fact that somebody was able to read a link within an unencrypted confirmation e-mail doesn't prove anything, because the e-mail may very well have been captured in transit. So a keyserver offering

Related Questions

One student measure the pH of the following three solutions (weak base, conjugat
Question #608113
One student measure the pH of the following three solutions (weak base, conjugat
Question #748006
One student who had taken statistics before spent no time studying and got an 84
Question #2924858
One student who had taken statistics before spent no time studying and got an 84
Question #3328443
One student who performed the calcium supplement experiment had the following en
Question #1039174
One study by CNNMoney reported that 60% of workers have less than $25,000 in tot
Question #2922559
One study found that the correlation between cell phone use and depression is r
Question #3220081
One study looked at 500 individuals exposed to a high dose of an aflatoxin (grou
Question #3146174

Navigate

Previous
One thing cryptography articles never seem to explain is how the message actuall
Next
One thing that you should notice throughout this semester is the fact that we do

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.