These guys have no clue, and I hope Phil Zimmermann is not involved anymore.

Every few months I get some spam crap from PGP Global Directory <do-not-reply@keyserver1.pgp.com>, asking me to "verify my key". I never respond, but they don't stop sending me junk regardless of the message stating "if you do nothing, we won't include your key and all is fine".

So far, so annoying-but-not-really-bad; after all, their keyserver sucks plenty anyway: no HKP, no email interface, just a crap web frontend. And sending confirmation emails for keys is not necessarily a bad thing.

What makes me think they're clueless idiots, however, is their help pages, their fucking signature on my key, and their broken key packets.

Have a look at this piece of lunacy: How do I add my signature to someone else's public key on the PGP Global Directory? Not a single word about trust, that verification of the other party's id is absolutely necessary to build the web of trust and so on. The remainder of said example of written excrement is about as silly.

Next, their signature: DID YOU VERIFY MY KEY AND ID? DID YOU? NO? THEN DON'T SIGN MY KEY, YOU IDIOTS! Of course I won't hand out that signature but it's there, 0xCA57AD7C signing 0x42BD645D on 2006-03-06. Their key is an RSA key, btw, and their stupid keyserver doesn't support these "legacy keys", nor does it support multiple keys with the same email address, and it also doesn't support the relevant standards: their key datastructure is fucked (try retrieving that key into a gpg keyring).

Now that's a pretty good set of reasons not to trust these sods with anything, ever.

[ published on Mon 13.03.2006 13:25 | filed in interests/crypto | ]
Debian Silver Server
© Alexander Zangerl