![[ACLU Defend Your Data Collection]](bin/dataicon.gif)
![[EFC Golden Key - Strong Crypto]](bin/efccrypt.gif)
alt.security.keydist Resources
This is a list of Frequently Asked Questions (and answers) for the unmoderated newsgroup alt.security.keydist. It explains the purpose of the newsgroup and how to efficiently distribute public encryption keys using alt.security.keydist. It is a very short FAQ.
This FAQ assumes you have a basic working knowledge of your chosen encryption software. If you need more information about particular software, please try the resources listed at the end of this FAQ.
This is the charter from Jonathan S. Haas's original newgroup message, posted 27 February 1993:
For your newsgroups file:
alt.security.keydist Exchange of keys for public key encryption systems
This group is for people who use public key encryption systems such as
PGP or RIPEM to have a place to exchange public keys.
Jonathan's entire control message is archived at ftp://ftp.uu.net/usenet/control/alt/alt.security.keydist.
Although I'm sure many people have many different reasons for using this newsgroup, there are two major ones:
First, there are several public key encryption (PKE) systems (such as InvisiMail, Puffer, RIPEM, Vouch, and Sifr) that do not have keyservers networks. A newsgroup can serve as a de facto keyserver for users of those systems.
Second, even for PKE systems with established keyservers (i.e. OpenPGP), alt.security.keydist provides "another channel of distribution". Many PGP users attempt to distribute their public keys through as many protocols as possible. Such users often have their keys available in such diverse locations as keyservers (distribution by e-mail and http), in .plan files (distribution by finger), on web pages (distribution by http), and in ftp archives. alt.security.keydist is another protocol for redundant key distribution, distribution by netnews.
(This FAQ's author has, at various times, distributed his key by finger, by web, by keyserver, by newsgroup, by Fidonet echomail and by CompuServe file library. This FAQ's author is prone to overkill.)
Whatever PKE software you're using must be able to extract your public key to a '7-bit', 'flat ascii', or 'plaintext' file. (Most PKE programs now export keys in text format by default.) Once you've extracted your key, just start an article to alt.security.keydist, cut-and-paste the keyfile into your article, and post it.
Your subject line should state what software you're posting a key for, and the e-mail address that key is for. I also recommend redirecting followups to e-mail with a "Followup-To: poster" header, because alt.security.keydist really isn't a discussion group.
You should repost your public key whenever it changes (i.e., you change your e-mail address, add a certification, or revoke the key). Given the ephemeral nature of netnews articles, periodically reposting unchanged keys is acceptable. Users who expect to repost keys often should consider adding "Expires:" and/or "Supersedes:" headers to their posts. The documentation for your newsreading software should explain these headers.
MIME-educated PGP-users (and GPG-users) may want to use "Content-Type: application/pgp-keys" for posting public keys. (This will make it easier for many PGP users to import your key, but it may prevent Google Groups from archiving the post containing the key.) See RFC 3156 at http://www.ietf.org/rfc/rfc3156.txt for a description of the PGP media types.
By the way, don't clear-sign the message containing your public key! That just makes it harder for people to add your key to their keyrings (Think about it: How do people verify the signature if they don't yet have the key on their keyring?) and does not verify the integrity of your key.
If you mean "Should I post my key to other alt.security.* or comp.security.* newsgroups?", the answer is a definite "No". Those groups are discussion and/or announcement groups, and public keys don't count, unless they're very important keys (such as keys belonging to a timestamp server or certficate authority).
There are, however, at least 11 other key-distribution newsgroups located in smaller news hierarchies. You might want to crosspost your public keys to one of these newsgroups, or monitor them for new keys:
The newsgroup demon.security.keys is part of the internal hierarchy for Demon Internet (an internet service provider in the United Kingdom), but has much wider distribution. Recommended for PKE-users in the UK.
The newsgroups fidonet.pkey_drop and fido7.lv.pgpkeys are (defunct?) gated versions of (defunct?) Fidonet echomail channels. You cannot post to these groups from from the netnews side of the gateway.
The newsgroups aktiv-darkness.pgp-keys, city-net.diverses.pgp-keys, domino.pgp.schluessel, hothouse.lokal.pgp-keys, t-netz.pgp.schluessel, real-net.computer.pgp. public_key, waros.pgp.schluessel, and z-netz.alt.pgp.schluessel, are for distributing PGP keys only, and are part of German-language news hierarchies ("schluessel" means "keys"). Many of these groups are defunct and/or ISP-local groups.
GPG is available at http://www.gnupg.org/
InvisiMail RPK is apparently out of business but the demo version of InvisiMail Lite is still available at http://www.infoweek.ch/library/Internet/IM40lite.exe
PGP is available at http://www.pgp.com/ and http://www.pgpi.org/
Puffer is available from http://www.briggsoft.com/
RIPEM's source code is available at http://www.funet.fi/pub/crypt/cryptography/rpem/
Sifr & Vouch are available at http://www.funet.fi/pub/crypt/msdos/bin-only/