[KLUG Members] gpg key signing party.

[Dirk H Bartley]

On Mon, 2006-02-20 at 10:07 -0500, Bruce Smith wrote:
> > > 2)  What if I upload my public key now, and change my mind later about
> > > my email addresses (I run adduid/deluid later).  I can I change my key
> > > on the server?  How?  Can I upload it again and overwrite it?
> > 
> > I'm not certain.  Do keys contain revision references?
> > 
> > > 3)  If I can change my key on the server, what keeps other people from
> > > changing my key?
> > 
> > You are uploading your public key,  it can't be generated without your
> > private key.  There is no reason to 'protect' the public key.  If it is
> > altered without the presence of the private key it will be invalid.
> 
> I understand that, but it seems like anyone could generate a
> private/public key pair with someone else's email address and upload the
> public part.


This is the reason for having the key signing party.  Remember, the key
signing party is a misnomer because no keys are actually signed.  The
party is really just a bunch of promises to sign later.

Yes I can create a key pair and call myself you.  However only you can
get Adam to verify your key fingerprint and vice versa and then sign
each others key.  It is the act of singing that creates the web of
trust.  Therefore my key that I generated as you will show as valid but
not verified in Adam's email client when I forge a message from you.

> 
> So why couldn't generate a key pair for my email and upload the public
> part and overwrite my public key?  (if overwriting is allowed)

No overwriting allowed

> 
> > > All I see is the place to upload a key, but nothing on how to change or
> > > delete a key, nor any security on the key uploaded. I don't get it!  :-)
> > 
> > I don't know how modification works with regard to the key server.
> > Perhaps you just upload it again?
> 
> I'd really like to know that before I upload my key.  If it can be
> overwritten easily, I don't care as much about which uid's I have in my
> key now (knowing I can change it later).  Otherwise I want to get it
> perfect before I upload it.
> 
> Anyone want to add/delete a uid from their key and try uploading again?
> 
> This all goes back to my original spam question.  I have a couple email
> addresses that I rarely use, which [so far] have been able to avoid
> getting on any spammer's list.  I don't want those uid's in my key if a
> bot is going to harvest them off the key server.  And I might want to
> add them later ...
> 
I think spammers would still have to ask for searches from the
keyserver.  So if they knew there were a bunch of @domain.com on a
keyserver, they could search for it.  But I think there are much easier
ways for spammers to get email addresses.

Dirk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20060220/88505c80/attachment.bin