PGP Inc setup a "Verified Key Service". How did I find out? Because they sent me semi-spam mail to "verify my key". Not a good start...
Curious I went to their site and told them not to add the key ID they sent me, as it's a key I don't use.
I tried to add my pgp key to their server, but they told me that they don't support "v3 or older" keys. I've had my key since 1996 and I'd really rather not go through the hassle of changing it, thank you very much. (On a side note: I have considered it though, it being only 1024 bits and all).
Anyway, that's not the foolish thing. The point of PGP is that by encrypting and signing the keys, we don't have to trust that the other end of the communications email address has not been compromised. However, the "verified key service" pseudo-"verification":https://keyserver-beta.pgp.com/vkd/Verification.event is relying on, tada, that your email account hasn't been compromised. They are just sending an unencrypted email to your email account and asking you to click the link. No sending a signed mail back or being able to decrypt an encrypted mail.
Is it worse than the regular PGP key servers? Technically no. The difference is that the regular key servers are not claiming to have "verified keys" other than your regular web of trust.
Someone on the gnupg-users list argued that it's useful to weed out inactive keys, which I certainly agree with. But they shouldn't call it "verified keys", but "active keys" or some such.
A better another automatic email checker and signer: RobotCA. The RobotCA encrypts the email you are supposed to confirm and thus ensures that the reader of the email has the secret key and is able to use it.
Leave a comment