[ppml] Policy Proposal 2007-1 - Staff Assessment
Stephen Sprunk
stephen at sprunk.org
Mon Apr 16 01:17:32 EDT 2007
Thus spake "Martin Hannigan" <martin.hannigan at batelnet.bs>
> I do have a problem with having a key removed from public
> key servers through undocumented back channels. I'm not an
> expert in keyserver ops, but being able to make a call and get
> a key "fixed" seems to be an extremely bad idea. I'd
> appreciate some detail as to why this doesn't undermine the
> web of trust around pgp keys on public servers and how it's ok
> since I don't quite understand how it could be based on my
> existing knowledge.
It's not getting a key "fixed"; it's getting a useless key removed.
Ideally, it wouldn't be needed, and in practice it may not be, but it's
confusing at best. Some folks would try to use the old key instead of the
new one, and they wouldn't be able to communicate with ARIN securely on the
first attempt.
Keyservers aren't part of the PGP security model in the first place; their
existence or reliability has no effect on the web of trust. Keys could
randomly disappear all the time and nobody would really care, except that
it'd be a minor annoyance when trying to contact someone new. The trust
model is based on what signatures are present and who they're done by once
one finds the key, not where one gets the key from. Of course, who exactly
is going to be signing ARIN's key and why? Standard usage indicates folks
who want to send PGP mail to ARIN would do so in their own keyrings, after
verifying it was authentic by OOB means, but who would the original key on
the keyservers be signed by (at first, or ever)?
S
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
More information about the ARIN-PPML
mailing list