Tuesday, November 27, 2007

PGP Key Servers - The Yellowbook of People For Sending Encrypted Messages

Having previously played around with Seahorse (basically a gnome GUI application that sits over the top of GnuPG), I pondered what the point of generating my private and public keys were if nobody out there could independently obtain my public key for sending me messages.

Low and behold Public Key Servers. From the hour or so I spent playing around with them, there's one thing they have in common. The ability to look for someone by their name or email address. There are three popular Public Key Servers that are worth submitting your keys to:

http://pgp.mit.edu
http://keyserver.veridis.com:11371
http://keyserver.pgp.com

If anyone out there knows more worth noting, please leave them in the comments and I'll certainly add them to the list. After submitting my Public Key to each of these servers, within minutes my information was available for the world to grab.

From what I've read, many Public Key Servers seem to feed off of other ones, so once you're indexed in a few major ones, your information should spread to other lesser known ones, eventually making it fairly trivial to find you if someone wants to.

Just for fun I tried searching for some big security-buff names in the industry and managed to find key entries for folks like: Philip Zimmermann and Bruce Schneier. The one thing I found confusing was the quantity of keys for a given person. Sometimes you'll find people with 5 or even 10 key entries! What's even more strange is that sometimes, none of their keys are set to expire. I can only assume the user either forgot the pass phrase to their key pair or that they wanted to provide a more heavy-duty higher-bit key to scale with computing power. I think the safest bet is to always pick the most recently dated key for a person.

This lead me to ponder, can you delete your entries from these servers? Evidently the answer is "sort of". Using what's called a "revocation" you can usually get your old key removed, but this is on a per-server basis. So the end result is you'd have to manually go to all the servers out there in the world with your information and update them (obviously not realistic).

I hope this has helped to provide a rough picture of what Public Key Servers are all about.

Posted by Christopher M. Ball at Tuesday, November 27, 2007

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)