[LINK] RFI: [PGP Global Directory] Verify Your Key

[Roger Clarke]

Is anyone aware of any scams surrounding the PGP.com Directory?

I've used PGP in the past, but not recently.  Overnight, I've 
received a request for confirmation of an entry despite not having 
submitted a key for storage there.

I'm trying to think through how a fraud or significant nuisance could 
be committed by registering a key in someone else's name.

It would seem to mean that the person who generated the private key 
would be in a position to masquerade as me, not just by falsifying 
the From: field, but also by signing the email, and having the PGP 
Directory report the signature as being valid.

To be convincing, the fraudster would need to create a 'web of 
(dis?!)trust' by having a few people confirm that the key is 
associated with me.  But most message-recipients aren't going to 
understand such subtleties.

Any thoughts or leads much appreciated.

For the moment I've neither confirmed nor denied the entry.

The message received and the contents of relevant web-pages are 
below.  (I've of course deleted the unique parts of the confirmation 
transaction, in order to make it difficult for anyone else to confirm 
it).

__________________________________________________________________________

X-Original-To: roger.clarke at xamax.com.au
Delivered-To: rclarke at apex.net.au
X-PGP-Universal: processed;
	by keyserver2.pgp.com on Mon, 17 Dec 2007 03:12:02 -0800
Date: Mon, 17 Dec 2007 03:12:02 -0800 (PST)
From: PGP Global Directory <do-not-reply at keyserver2.pgp.com>
To: RogerClarke <roger.clarke at xamax.com.au>
Subject: [PGP Global Directory] Verify Your Key
X-PGP-Client-Confirmation-Token: <DELETED>
X-PGP-Verify-Token: <DELETED>
X-PGP-Email-Purpose: new-address
X-PGP-Encoding-Format: MIME
X-PGP-Encoding-Version: 2.0.2


    Verify Your Key

A PGP public key containing the email address 
roger.clarke at xamax.com.au has been submitted to the PGP Global 
Directory.
<https://keyserver2.pgp.com/vkd/v.e?t=dYZP7IM2EJLYGHGDMMUUZXW4YAQ> 
 <https://keyserver2.pgp.com/vkd/v.e?t=dYZP7IM2EJLYGHGDMMUUZXW4YAQ>Complete 
the Verification Process

To verify this key submission, please visit the PGP Global Directory 
by clicking the button above. You will have the opportunity to review 
the details of the submitted key to ensure that it is your key, and 
then choose to accept or deny it.

If you did not submit this key or do not want this key in the PGP 
Global Directory, you may delete this message and take no further 
action. The key will be automatically deleted within 14 days and you 
will not receive any further email.

Thank you for your interest in the PGP Global Directory.

If the above link is not working, copy and paste the following link 
into your web browser:

https://keyserver2.pgp.com/vkd/v.e?t=<DELETED>

No further messages regarding the PGP Global Directory will be sent 
to this email address unless you choose to participate by providing a 
verification response to this email.


The web-page contains:

RogerClarke
<Key>
<Fingerprint>
Roger.Clarke at xamax.com.au

0 signatures from other users

The PGP public key shown above has been submitted to the directory.
If you did not submit this key or you do not want this key in the 
directory, click 'Cancel'. The key will be deleted and you will not 
receive any further email regarding it.

Your email address roger.clarke at xamax.com.au is one of those attached 
to the key with the fingerprint shown above. If the key published for 
you is not yours, you will not be able to decrypt messages sent to 
you. If the fingerprint matches, and you want to publish the key for 
this address, click 'Accept'. Other PGP users will then be able to 
retrieve it in order to encrypt messages to you and verify signed 
messages from you.


The 'Help' / T&C page is here:
https://keyserver2.pgp.com/vkd/VKDHelpPGPCom.html
https://keyserver.pgp.com

What's so important about sending verification messages to the email 
addresses on a key?

With existing keyserver technology, anyone can create a key using any 
name and any email address; the keyserver makes no attempt to verify 
that these keys actually belong to the person whose email address is 
in the user ID of the key. Because of this, existing keyservers are 
full of keys that aren't used or cannot be trusted. The PGP Global 
Directory, in comparison, sends verification messages to the email 
addresses on keys submitted to it. If the key owner responds to the 
verification message with permission to add the key, then the key is 
added to the directory. This approach keeps the PGP Global Directory 
free of useless keys and protects your privacy by foiling the upload 
of bogus keys that use your email address.

What's so important about the ability to remove keys?

People create new keys, forget the passphrase to their key, or stop 
using their key; all of these are legitimate reasons for not using a 
key anymore. Unfortunately, if these keys have been uploaded to a 
keyserver, they can't be removed except by the administrator of the 
keyserver. Over time, this limitation results in a keyserver 
"polluted" with obsolete keys. The PGP Global Directory supports the 
removal of keys by the owner, even if the passphrase has been lost, 
thus preventing the buildup of unusable keys.

Does the PGP Global Directory do anything to my key when it posts it?

Yes. When a key owner gives permission for their key to be posted to 
the PGP Global Directory, the key is signed by the PGP Global 
Directory's Verification Key just before it is posted. This signature 
attests to the fact that the email address on the key has been sent a 
verification message by the PGP Global Directory and the key owner 
has given permission for the key to be published. To ensure that your 
copy of PGP Desktop trusts keys with this verification signature, you 
need to download the PGP Global Directory's Verification Key, import 
it into your copy of PGP Desktop, sign it, and set its Trust setting 
to Trusted. The PGP Global Directory makes it easy to download its 
Verification Key by making it available on the Email Address 
Confirmed screen that you see when the email address on your key has 
been verified. The PGP Global Directory Verification Key is also 
available on the PGP website at 
http://www.pgp.com/company/corporatekeys.html.

I just received an email message asking me to confirm the addition of 
my PGP public key to the PGP Global Directory. I didn't try to add my 
key, so I'm wondering what's going on?

Because you didn't try to add your key, it appears someone else did. 
If you are concerned about the security implications, you can simply 
prevent the addition of your key by not responding to the message.


-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW