alt.security.keydist Frequently Asked Questions

Subject: Introduction

This is a list of Frequently Asked Questions (and answers) for the unmoderated newsgroup alt.security.keydist. It explains the purpose of the newsgroup and how to efficiently distribute public encryption keys using alt.security.keydist. It is a very short FAQ.

This FAQ assumes you have a basic working knowledge of your chosen encryption software. If you need more information about particular software, please try the resources listed at the end of this FAQ.

Subject: What is this newsgroup for?


This is the charter from Jonathan S. Haas’s original newgroup message, posted 27 February 1993:

For your newsgroups file:

alt.security.keydist Exchange of keys for public key encryption systems

This group is for people who use public key encryption systems such as PGP or RIPEM to have a place to exchange public keys.

Jonathan’s entire control message is archived at ftp://ftp.uu.net/usenet/control/alt/alt.security.keydist.

Subject: Why not just use a keyserver?

Although I’m sure many people have many different reasons for using this newsgroup, there are two major ones:

First, there are several public key encryption (PKE) systems (such as InvisiMail, Puffer, RIPEM, Vouch, and Sifr) that do not have keyservers networks. A newsgroup can serve as a de facto keyserver for users of those systems.

Second, even for PKE
systems with established keyservers (i.e. OpenPGP), alt.security.keydist
provides “another channel of distribution”. Many PGP users attempt to distribute their public keys through as many protocols as possible. Such users often have their keys available in such diverse locations as keyservers (distribution by e-mail and http), in .plan files (distribution by finger), on web pages (distribution by http), and in ftp archives. alt.security.keydist is another protocol for redundant key distribution, distribution by netnews.

(This FAQ‘s author has, at various times, distributed his key by finger, by web, by keyserver, by newsgroup, by Fidonet echomail and by CompuServe file library. This FAQ‘s author is prone to overkill.)

Subject: How do I post my key to alt.security.keydist?

Whatever PKE software you’re using must be able to extract your public key to a ‘7-bit’, ‘flat ascii’, or ‘plaintext’ file. (Most PKE programs now export keys in text format by default.) Once you’ve extracted your key, just start an article to alt.security.keydist, cut-and-paste the keyfile into your article, and post it.

Your subject line should state what software you’re posting a key for, and the e-mail address that key is for. I also recommend redirecting followups to e-mail with a “Followup-To: poster” header, because alt.security.keydist really isn’t a discussion group.

You should repost your public key whenever it changes (i.e., you change your e-mail address, add a certification, or revoke the key). Given the ephemeral nature of netnews articles, periodically reposting unchanged keys is acceptable. Users who expect to repost keys often should consider adding “Expires:” and/or “Supersedes:” headers to their posts. The documentation for your newsreading software should explain these
headers.

MIME-educated PGP-users (and GPG-users) may want to use “Content-Type:
application/pgp-keys” for posting public keys. (This will make it easier
for many PGP users to import
your key, but it may prevent Google
Groups
from archiving the post containing the key.) See RFC 3156 at
http://www.ietf.org/rfc/rfc3156.txt
for a description of the PGP media
types.

By the way, don’t clear-sign the message containing your public key! That
just makes it harder for people to add your key to their keyrings (Think
about it: How do people verify the signature if they don’t yet have the key
on their keyring?) and does not verify the integrity of your key.

Subject: Should I post my key to other newsgroups?

If you mean “Should I post my key to other alt.security.* or
comp.security.* newsgroups?”, the answer is a definite “No”. Those groups
are discussion and/or announcement groups, and public keys don’t count,
unless they’re very important keys (such as keys belonging to a timestamp
server or certficate authority).

There are, however, at least 11 other key-distribution newsgroups located in
smaller news hierarchies. You might want to crosspost your public keys to
one of these newsgroups, or monitor them for new keys:

The newsgroup demon.security.keys is part of the internal hierarchy for
Demon Internet (an
internet service provider in the United Kingdom), but has much wider
distribution. Recommended for PKE-users in the UK.

The newsgroups fidonet.pkey_drop
and fido7.lv.pgpkeys are (defunct?) gated versions of
(defunct?) Fidonet echomail channels. You cannot post to these groups from
from the netnews side of the gateway.

The newsgroups aktiv-darkness.pgp-keys, city-net.diverses.pgp-keys, domino.pgp.schluessel, hothouse.lokal.pgp-keys, t-netz.pgp.schluessel, real-net.computer.pgp.
public_key
, waros.pgp.schluessel, and z-netz.alt.pgp.schluessel, are for distributing PGP keys only, and are part of
German-language news hierarchies (“schluessel” means
“keys”). Many of these groups are defunct and/or ISP-local groups.

Subject: Further information about software mentioned in this FAQ.

GPG is
available at http://www.gnupg.org/

InvisiMail RPK
is apparently out of business but the demo version of InvisiMail Lite is
still available at http://www.infoweek.ch/library/Internet/IM40lite.exe

PGP is available
at http://www.pgp.com/ and http://www.pgpi.org/

Puffer is available from http://www.briggsoft.com/

RIPEM‘s source code is available at http://www.funet.fi/pub/crypt/cryptography/rpem/

Sifr & Vouch are available at
http://www.funet.fi/pub/crypt/msdos/bin-only/