Digital Signing (Beat The Dead Horse) was Re: Free Software for m$

[Randy Kaelber]

Shawn Rutledge wrote:
> 
> So what are the popular key servers?  Is this free, and who pays for
> the bandwidth?  Are they just web servers, or something else?

Essentially, yes. Here's the Google directory on some of the bigger
ones:

http://directory.google.com/Top/Computers/Security/Products_and_Tools/Cryptography/PGP/Key_Servers/?tc=1


> How to configure mutt and gpg to use key servers?  Will it cache them
> locally so I'm not going out to some server every time I read a signed
> email?

Once you bring down a key, it gets stored in your personal key reing, so
there's no need to keep accessing the net for them.

I use mutt and gpg at home, and the integration between the two is
really nice.  Alas, it's been a long time since I got email from someone
whom I don't already have a key, so I don't recall how well the key
management is integrated there (i.e.  I get a signature from an unknown
sender, go out to a keyserver, get their public key). But signing
messages is really trivial.

> 
> Where is the information about who has signed your key stored?  On
> the key server, or is there something inherent in the key itself,
> that your identity has been verified?

Your public key itself has these digital signatures on them.  The
decision whether a given key is "verified" is up to the person receiving
signed/encrypted files, however, based on how well they trust the sender
and those who have signed the sender's key.  

-- 
Randy Kaelber                                       
Randy.Kaelber@asu.edu
Software Engineer  
Mars Space Flight Facility, Department of Geological Sciences
Arizona State University, Tempe, Arizona, USA