[ppml] Policy Proposal 2007-1 - Staff Assessment

[Stephen Sprunk]

Thus spake "Martin Hannigan" <martin.hannigan at batelnet.bs>
> I do have a problem with having a key removed from public
> key servers through undocumented back channels. I'm not an
> expert in keyserver ops, but being able to make a call and get
> a key "fixed" seems to be an extremely bad idea. I'd
> appreciate some detail as to why this doesn't undermine the
> web of trust around pgp keys on public servers and how it's ok
> since I don't quite understand how it could be based on my
> existing knowledge.

It's not getting a key "fixed"; it's getting a useless key removed. 
Ideally, it wouldn't be needed, and in practice it may not be, but it's 
confusing at best.  Some folks would try to use the old key instead of the 
new one, and they wouldn't be able to communicate with ARIN securely on the 
first attempt.

Keyservers aren't part of the PGP security model in the first place; their 
existence or reliability has no effect on the web of trust.  Keys could 
randomly disappear all the time and nobody would really care, except that 
it'd be a minor annoyance when trying to contact someone new.  The trust 
model is based on what signatures are present and who they're done by once 
one finds the key, not where one gets the key from.  Of course, who exactly 
is going to be signing ARIN's key and why?  Standard usage indicates folks 
who want to send PGP mail to ARIN would do so in their own keyrings, after 
verifying it was authentic by OOB means, but who would the original key on 
the keyservers be signed by (at first, or ever)?

S

Stephen Sprunk      "Those people who think they know everything
CCIE #3723         are a great annoyance to those of us who do."
K5SSS                                             --Isaac Asimov