Digital Signing (Beat The Dead Horse) was Re: Free Software for m$

Shawn Rutledge plug-discuss@lists.plug.phoenix.az.us
Wed, 25 Sep 2002 11:29:12 -0700 

So what are the popular key servers?  Is this free, and who pays for
the bandwidth?  Are they just web servers, or something else?

How to configure mutt and gpg to use key servers?  Will it cache them
locally so I'm not going out to some server every time I read a signed
email?

Where is the information about who has signed your key stored?  On
the key server, or is there something inherent in the key itself,
that your identity has been verified?

On Wed, Sep 25, 2002 at 10:51:52AM -0700, Randy Kaelber wrote:
> That's actually the largest challenge in crypto applications: key
> management.  The theory for public key cryptography is thus:  You
> generate a key pair, one is a public key, which you share far and wide
> (put on keyservers, put up on your web page, whatever it takes), the
> other one you keep to yourself.  But,  what keeps someone from
> generating a key pair using my name?  Nothing at all.  That's where key
> signing comes in, which begins the web of trust.  You generate a key
> pair, send the the public key to a friend who knows you, and you get
> together, call him up on the phone, or whatever you feel you need to do
> to verify to him that the key is really yours.  He signs it with his
> key, which is a way of saying "Yeah, I know that this 
> key really belongs to this person."
> 
> Lather, rinse, repeat.  This is why key signing parties are good (bring
> along a photo ID!).  Everyone there can sign everyone's keys, and when
> you're done, you have more people vouching for your key.  
> 
> You can assign trust levels to signers: "I know Alice, and she's a GPG
> Nazi and won't sign a key for someone until she gets photo ID and pulls
> a TRW file on them to verify data. If she signs a key, I *know* it's
> authentic.  That Bob guy?  He's kinda flaky.  I don't think he does a
> good job of checking someone's bona fides.  Take his signature with a
> grain of salt."
> 
> There are key servers on the net which you can use to get just about
> anyone's public key (if they've published them).  Whenever you get a new
> signature on yours, you should put the new key up there (if the person
> who signed it hasn't beaten you to it).  The more signatures, the
> better. 

-- 
  _______                   Shawn T. Rutledge / KB7PWD  ecloud@bigfoot.com
 (_  | |_)                       http://ecloud.org  kb7pwd@kb7pwd.ampr.org
 __) | | \________________________________________________________________