About PGP Signing a File.

Jeffrey F. Bloss jbloss at tampabay.rr.com
Sun Feb 11 11:43:16 UTC 2007 

Tony Arnold wrote:

> > From the FWIW department, the MIT and LDAP PGP keyservers are
> > broken. They'll mangle newer version keys and/or won't broadcast any
> > at all. The current rule of thumb is to stick with newer HKP
> > protocol servers, and use one of the random pool redirects like...
> 
> I'm not sure where Seahorse gets these from! My gnu.conf file
> specifies hkp:///subkeys.pgp.net which perhaps is a much better
> choice?

Absolutely. I believe "subkeys" is a pseudonym for another, larger
server farm just like "random...de" is. Which is real handy if one
server hiccups or dies. 

This is one of the reasons I dislike Seahorse. I think I enumerated
others in a thread a few weeks ago, mostly centering on how Seahorse
likes to manage it's "gpg-agent" in nonstandard ways. If you happen to
install the 2.x development branch of GnuPG it can get quite messy
because you essentially have two agents trying to handle pass phrase
input. They invariably conflict.

In my humble opinion GPA or even KGPG are preferable alternatives,
although KGPG messes with your gpg.conf too, if you're not careful. It
does, however, give you all that mouse-able functionality found in
PGP's "PGPTray" application. GPA is just a plain ol' no-nonsense front
end to basic GnuPG functionality. As far as I've seen it leaves it's
paws completely off your finely tuned configuration. ;)

This inserted from another reply...

> I don't think it is possible for someone to prove beyond doubt they
> are who they say they are. I suspect even your example above is open
> to abuse.

EgggggggZACTly. :) My silly in jest suggestion isn't perfect, and it's
logistically infeasible for most users to even attain a lesser level
of trust in a given public key. But still PGP/GnuPG is more often
mistaken for a proof of authorship tool than not.  


> > There are other protocols which address identity in much more
> > suitable ways, although the "zero knowledge proof" problem has been
> > a major thorn in cryptographers' sides since cryptography was
> > invented. ;)  
> 
> I'd be interested to hear about other such protocols.

Probably out of the scope of this list, but think "trusted authority"
like Verisign. That's where most proof of identity mechanisms have
there roots. And for an overview of the more esoteric theories and such
you can Google "zero knowledge proof of identity" or "zero knowledge
proofs" (with the quotes). :)


-- 
     _?_      Outside of a dog, a book is a man's best friend.
    (o o)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
                    http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070211/eac0c82f/attachment.sig>

More information about the ubuntu-users mailing list