Proof of email ownership

S K sk4list at yahoo.com
Sun Aug 7 16:17:13 CEST 2005


How would this work out for people who do not have
control over the DNS record of domains? Best examples
are free email services like hotmail and gmail?

-SK 

--- Werner Koch <wk at gnupg.org> wrote:

> Hi!
> 
> Let me note that I am currently working on a
> simplified key validation
> scheme.  The basic idea is to connect a signature to
> an DNS entry.
> 
> Our assumption is that DNS is secure and unforgeable
> - as of now it is
> not but eventually DNSSEC will get deployed to solve
> this and many other
> problems.
> 
> Here is how it works:
> 
> To create a signature on an email (or any other
> data) you would use:
> 
>   gpg -s -Npka-address at gnupg.org=werner at example.org
> foo
> 
> (add other options as you see fit). Now when someone
> wants to verify
> the signature he does it using the usual
> 
>   gpg --verify foo.gpg
> 
> gpg detects that foo.gpg has the notation key
> pka-address at gnupg.org
> and takes its value (werner at example.org) to run a
> DNS query like:
> 
>   $ host -t txt werner._pka.example.org
>   werner._pka.example.org text
> "v=pka1\;fpr=A4D94E92B0986AB5EE9DC\
>   D755DE249965B0358A2\;uri=finger:wk at example.com"
>  
> Now it compares the fingerprint given in that Text
> record against the
> one of the public key used to verify the signature. 
> If they match, it
> has been proved that the mail address
> werner at example.org is a
> legitimate address in the domain example.org.  If
> not, someone tried
> to use a faked key. As of now we use the outcome of
> this test to
> change the validity status of the key either to FULL
> or to NEVER (if
> they don't match).
> 
> A MUA - or an MTA - may now display the verified
> address
> werner at example.org to the user and compare it to the
> From address.
> Will will likely add ptions to gpg to make this
> easier.
> 
> As a bonus we also put the URI part into the TXT
> record to allow the
> specification of a keyserver or whatever to retrieve
> the public key.
> gpg uses this during signature verification as well
> when collecting
> the recipients of a message; i.e. if you use "-r
> joe at example.org" it
> would try to locate a PKA record for joe
> (joe._pka.example.org) and
> use this for key validation as well as to retrieve
> the key for joe.
> 
> If you want to play with this feature, you need to
> build the latest
> Subversion of gpg and put
> 
>   keyserver-options auto-pka-retrieve
> 
> into your gpg.conf.  For real PKA records, replace
> example.org by
> fsfe.org.  If this all works out well, we might want
> to apply for a
> dedicated DNS record type instead of using TXT. The
> scheme may also be
> used for S/MIME.
> 
> 
> Shalom-Salam,
> 
>    Werner
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the Gnupg-devel mailing list