Ask Slashdot: Is There a PGP Key Repository? 68
Martin Foster asks this question:
"I noticed that a lot of Sites, such as Sendmail.org,
Kernel.Org et cetera, sign all their downloads with a
PGP Signature. While this is useful, getting a copy of
this key can be a bit more difficult then it looks.
For example, I have yet to be able to retreive the key from
Red Hat's page. I had to look though the PGP Keyserver and
guess which one was the correct one. Is there a site on
the net that just stores such keys? Making it a central
place to get any key needed to veryfy if a file is really
as it seems?" A centralized, trustworthy place
for downloading public keys seems to be a good idea. What
do you all think?
We have one (read the man pages) (Score:1)
That's done automatically. (Score:1)
The problem isn't, btw, w/ folks randomly signing others' keys -- as long as they verified that the key really does belong to the person it's supposed to. I verify the fingerprints by phone; As long as people follow such precautions, there's no problem w/ signing as many keys as one likes.
Apparently not (Score:1)
RTFM (Score:1)
Here's the URL http://www.nai.com/products/security/public_keys/
But I have to wonder how you managed to install/use PGP without reading the instructions enough to know about the site.
hkp://keys.pgp.com/yourlogin@yourdomain.xxx (Score:1)
Read the docs that came with your software.
PGP Servers (Score:1)
There are two central pgp key servers. The first is ldap://certserver.pgp.com. The second is http://pgpkeys.mit.edu:11371. Either of these can be set to be automatically accessed by PGP6+ programs when an unknown key is found.
There is a web interface to request a key as well, http://www.nai.com/products/security/public_keys/
Linux people should all sign each other's keys (Score:1)
--
PGP key repository == GREAT IDEAR! (Score:1)
This is what we need if PGP has to become more widely used!!!
what about horowitz.surfnet.nl? (Score:1)
I'm pretty sure nai runs a HKP (Horowitz Key Protocol) site as well as the silly web interface to get keys . . .
Why would we need more servers?
one repository is not enough - use pgp.net ... (Score:1)
See pgp.net [pgp.net] for background info and a list of morror sites (or lookup the TXT RR for www.pgp.net for mirrors -- see wwwkeys.pgp.net for WWW access to to the distributed key servers).
Note that none of the keys are in any way checked -- it is up to *YOU* to check the signatures, etc.
On the other hand, "The Global Trust Register" [cam.ac.uk] does impart a warm glow
Key Management is a complicated issue (Score:1)
Unfortunately, too many signing keys for software distribution rely on massive key redistribution, instead of using the web of trust [cam.ac.uk].
Is PGP really popular? (Score:1)
What do your fellas think?
CP
Key Management is a complicated issue (Score:1)
* "certification" -- individuals and organizations
should certify the PGP public keys of software
authors based on various criteria; I sign people
I know, others might sign people who they're
willing to vouch for as good people, etc.
* "distribution" -- getting people to upload
their keys to a keyserver or other repository.
This does *not* require any trust. One could
run a slashdot key server, or use the existing
key server infrastructure.
Do not merge the functionality! Otherwise you'll
end up with x.509. CAs, and all the attendant
crap. PGP uses the web of trust for a reason.
One more choice: sign code or sign keys? (Score:1)
trust relationships, another interesting question
comes up:
Should I, as a user, sign the key of, say,
Ben Laurie (apache-ssl, openssl guy), saying I
know him (I'd say yes), and that he's generally
a good guy?
Or, is it more important that I sign the *code*
also, saying I've reviewed it and it seems
reasonable?
I think people should do both -- I'd be far
happier if there were signatures from everyone
who seriously looked at the code for security
purposes on the code they reviewed, rather than
just on someone's key.
These are really two separate problems, but both
need to be solved.
At MIT, Lenny Foner and others were working on
a system to allow people to individually sign/audit small subsections of a large security
program. This seems more reasonable than
a system where people have to look at all the code, or sign none of it. As long as design
is sufficiently encapsulated (ideal from a
security perspective, but not always possible),
it should be possible to review only a single module. A build system could then be constructed
to require a threshold number of signatures from
a set of people you trust, but not necessarily
the same individuals reviewing the whole program.
This is really the next step in cryptographic
signatures -- "signature management" to go along
with trust management. To do it, one would need
a patched build system, and potentially also
a standard for signatures and keys to include
*why* they are being signed, not just that there
is a valid cryptographic signature. I could
sign an Anonymous Coward's code to assert I believe it is secure without knowing the identity
of the Anonymous Coward. *This* is the main
advantage of a decentralized freeform system like
PGP (yay openpgp! yay gnupg!) over a rigidly
enforced corporate hierarchy like x.509.
Debian has gone far beyond most corporations in
its use of PGP tools to verify developers (I think
Red Hat has as well). This is the next step...
1024D/4096g 0xD2E0301F Ryan Lackey
B8B8 3D95 F940 9760 C64B DE90 07AD B307 D2E0 301F
GNU Privacy Guard (Score:1)
It certainly has some reliability issues
sometimes, far more than PGP, Inc.'s product.
I've only had the system break during upgrades,
and once it works it works quite well. The bugs
are all very apparent to the user, like the thing
just refusing to sign or use a key, rather than
things which could open security holes.
Overall, I'd be more comfortable using GnuPG,
since I can easily audit the source (it's smaller
and easier to understand), support the GPL,
and tell people worldwide to use the same
product, than using a PGP, Inc. product.
Being a little bit on the edge to push a good
thing like a GPL'd OpenPGP implementation is
worth a bit of sacrifice, too.
Keyservers (Score:1)
But apparently everyone seems to beleive that I can't read a manual. Go figure.
How clueless can you get ? (Score:1)
So, I look at the key repository and find multiple keys (This can apply for most corporations or large organizations)... Which do I choose? They almost all look the same, and when I find one that matches, I notice subtle differences, probably based on the key not being updated.
What I was thinking as a Central Repository maintained by let's say RedHat, who carry only the most recent and used destribution keys. Hit one site get what you need and leave. That's what I was implying, since it saves you from having to sift though identical keys and makes guesses.
What I believe the original post was trying to say (Score:1)
But I hate sifting though endless keys on the main keyservers in order to get a key I need. Specially when there are ambiguous names.
Key Repository (Score:1)
Carification (Score:1)
Let's say a repository that contains the destribution keys of RedHat, Kernel.Org, Apache, Debian, SSH et cetera. That way you connect to one site and retreive them, not needing to sift though all the keys on the repository (RedHat has quite a few and non matched the one on their WebPage).
I know that there are repositories in place, and I have used them before. Heck my key is there too, but that does not deter the fact that a specialized site that is actively mantained (when a maintainer changes the key the old one gets removed) and remained secure.
Though I must admit that only a site that most people would trust could be used. For example RedHat housing the repository on their servers, and making sure that it is not tampered though various security means.
Like I said, I don't like to sift though endless keys that could possibly what I need. I would like to visite one site and get all of the destribution keys that I need.
An analogy to this would be like going to a store that specialiases in books from a specific gendre, or going to Chapters (being the main repositories of today).
one repository is not enough (for fools) (Score:1)
The "Web of Trust" that keeps getting mentioned is not just some catch phrase we're bandying about. It is the mechanism by which we avoid the problems you're talking about of knowing which is the right key. That's the whole point of people being able to sign each other's keys. Let's say you have to decide on whether or not the key you downloaded was the right one, you'd want to start by looking at the names of the other people who signed the key that the document was signed with. If you don't know for sure that those are their keys, you can trace outwards further until you reach a signature used by someone you *do* know and trust.
It sounds a little far fetched, but if you are a relatively widely recognized figure, you should get out there and try to exchange signatures with as many other widely recognized people that you trust as you can deal with. I know it sounds irrational to try to find an associative link between yourself and various software developers, yet people play "Six Degrees of Kevin Bacon" (or whatever it's called) all the time. It's not as hard as it looks.
hkp://keys.pgp.com/yourlogin@yourdomain.xxx (Score:1)
MIT's PGP key server (Score:1)
It does no certification, just distribution, but you can add your key and check others quite easily.
What I believe the original post was trying to say (Score:1)
He wasn't saying "I don't know how cryptographic trust relationships work"
He wans't saying "The PGP web of trust doesn't work"
I believe what he was trying to say was "Wouldn't it be nice if someone compiled and published a keyring with signing keys of some of the major distributions and packages?"
That someone would need to be more or less globally known and trusted in the Open Source world and sign that keyring.
Red Hat's PGP Key? (Score:1)
hkp://keys.pgp.com (Score:1)
I have to say, RTFM. This repository is mentioned in the man pages for pgp.
Use RHCN! (Score:1)
How clueless can you get ? (Score:1)
in this ridiculous thread than the starting
message.
The whole point with PGP is *trust*.
It doesn't matter where you get the keys,
what matters is who signed them, whether they
are reliable people, and whether you trust
them.
PGP is not yet another cool whistle to add your
machine, it's either something you want, and then
you'd better learn to use it correctly, or
something you don't have to care about at all.
Besides, it only protects you against some
tampering on the way. If the basic archive
machine gets broken somehow, the magic potion
won't work, as the recent incident with the linux
security server distribution amply demonstrates.
Never used it (Score:1)
Your statement is uncredible. You may choose to not send your private data over public networks at this time, but that does not mean you don't have any data that needs that level of encryption. Put all this info in a message on
what do you do with em? (Score:1)
Key Signing (Score:1)
It becomes a nightmare trying to backtrace all signatures back to a key you know is trustworthy
- Is there any software to do this? ie If you tell it who you trust/know, something that will follow all links to tell you if you can trust a particular signed key?
That's done automatically-I didn't mean *Randomly* (Score:1)
I meant there is an interlinked network of people who have signed each others' keys.
Of course they have to verify fingerprints before signing, pref. by face to face contact, but over the phone is okay if you know that person.
The random bit is the *network* of interlinked signatures ( - this is obvious, you cannot expect to know who on the internet knows each other beforehand).
That's done automatically. (Score:1)
How's about the Global Trust Register? (Score:1)
URL: http://www.cl.cam.ac.uk/Research/Security/Trust-R
Alex
USENIX does this (Score:1)
Re: PGP stinks... (Score:1)
BESTS (Score:1)
Here is the way it's supposed to work -- you get someone's key personally (on a diskette, or whatever) or it is transmitted to you and signed by someone you already know or trust. Kind of a six degrees type deal. This creates a "web of trust". If I remember, in PGP, you can specify the level to which you trust a key, which means some keys can be trusted enough to authenticate other keys.
Hmmm, maybe six-degrees should be the one managing PGP keys... What'dya think?
Re: (Score:1)
you idiot (Score:1)
BESTS (Score:1)
The "independance" of the registration authourity is the main point in question:
Businesses don't trust Government to do it, Government doesn't trust businesses and the individual consumer trusts neither!
AC
Never used it (Score:1)
Tell me, do you lock your door to the house? Do you lock your car door (if you don't have one, please imagine you do)
My point is this. Just because it is possible to get in to the house, even with the door locked, you don't leave it open, as a form of discouragement, to try and make it harder for some one to break in to your house. There is no such thing as a 100% secure system, none. But you can make that system as hard to break in to as possible.
I think this is one thing that people should realise. It is all more of a deterent then a 100% garantee of protection.
Does any one dissagree?
That's done automatically. (Score:1)
The other writer (I am assuming) is saying that people are signing keys with out actually verifying that the key belongs to who ever.
Don't ask me why some one may wish to do this, it is beyond me (well okay, I can think of some reasons, but no point in saying).
That's done automatically-I didn't mean *Randomly* (Score:1)
Oh, and I can't spell so leave me alone.