[Top] [All Lists]

Re: About User-ID's

2001-08-20 10:02:54


I think he meant: is it realy nessessay that the keyserver
present that much id's matching (including all signing id's), or
Additionaly I would add: Is it realy nessessary to allow
three-letter search-patterns? If I search for a key, I should

Agreed.  It is hardly necessary that any keyserver provide a "verbose"
lookup; some keyservers don't, and some only provide limited
information.  Many keyservers only match on full "words", not
arbitrary substrings.  Many limit the number of hits returned in
one query.  These are all fine restrictions.

That said, it wouldn't be hard for a determined harvester to
get most of the meaningful addresses out of a keyserver.
All the names within a (less-than-huge) domain can be
retrieved by querying on that name.

Yes, I suppose you could require complete, exact matches for
the material within angle-brackets.  I wouldn't find such
a keyserver very useful.

If I really wanted to harvest the keyserver contents, I wouldn't use
the query interface at all.  A couple of keyserver operators make
snapshots of their keyrings available for synchronization.  Even if
they weren't, I could pose as a keyserver operator and ask for someone
to give me a snapshot to get started.  Or, I could use the e-mail
interface that many provide to get recent updates.

Whatever your solution, you'd have to convince all of the synchronized
keyserver operators out there to adopt it if you want to protect the
existing "public" keyring.  To do that, I expect you'd have to
demonstrate a greater threat.  As Len pointed out, it doesn't look
like one has materialized yet.

But if anyone wants to build a "safe" keyserver that doesn't
synchronize (outbound) to the "unsafe" servers, they're welcome to
do it.

Version: PGP Personal Privacy 6.5.3


<Prev in Thread] Current Thread [Next in Thread>