Proof of email ownership

Michael Daigle list-gnupg at mikedaigle.ca
Sat Aug 6 02:37:47 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

In reply to David Srbecky's message sent 2005-08-05 17:36:

> I just installed GnuPG to Thunderbird, created a key pair and
> uploaded it to a keyserver. I have expected to receive some mail
> designed to verify that I really own the email address (similar to
> the one that just received to subscribe to this list), but I did not
> receive any.
>
> How can people know that I own the address if GnuPG did not check it?

GnuPG is a cryptographic application. It verifies digital signatures,
not email addresses.

> My next idea was that GnuPG is multipurpose cryptographic software
> and I need to get some special signature verifying that I own
> specific mail. I was looking for a way to accomplish that, but I have
> not found any.

There is no magic bullet :-( A signature is only "special" to the one
who recognizes it. Some people trust my sig, while others have no cause
to. The same goes for bots and CA's. That's why the web of trust is
important. The more signatures you get on your key, the greater the odds
someone who receives your key sees a signature of someone they trust.

> Are there any servers/bots that can verify that I own mail and then
> sign my key to certify that?

The PGP Global Directory will only publish UID's bearing email addresses
that you confirm.

https://keyserver-beta.pgp.com/vkd/GetWelcomeScreen.event

The Robot CA at toehold.com will also similarly validate your email address.

http://www.toehold.com/robotca/

There are other organized webs of trust around like Thawte Consulting
(www.thawte.com), CAcert (www.cacert.org) and the Gossamer Spider Web of
Trust (www.gswot.org). Thawte is a commercial CA (only good for X.509
unless you use a compatable RSA OpenPGP key). CAcert is a not-for-profit
CA (X.509 and OpenPGP; trying for browser inclusion). GSWoT is a
grassroots organization that endorses CAcert Assurers, Thawte Notaries,
and other internally produced assurers to enhance the OpenPGP web of
trust. These entities perform identity assurance. You won't get a
signature for proving access to an email address.


- --
Mike Daigle                                   http://www.mikedaigle.ca
My PGP Key                                 mailto:pgpkey at mikedaigle.ca
Gossamer Spider Web of Trust                      http://www.gswot.org
Get Your Own Subdomain!                  http://www.gswot.org/yourname

-----BEGIN PGP SIGNATURE-----
Comment: GSWoT - Gossamer Spider Web of Trust - www.gswot.org

iD8DBQFC9AZaNuccKlqTLlMRA2/NAKDZNFcuuoAhUAbKGZBMrp2z2wcCaACgq9UA
X8336TQYfwdNfIpm0mxshtI=
=0s6L
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list