Proof of email ownership

S K sk4list at
Sun Aug 7 16:17:13 CEST 2005

How would this work out for people who do not have
control over the DNS record of domains? Best examples
are free email services like hotmail and gmail?


--- Werner Koch <wk at> wrote:

> Hi!
> Let me note that I am currently working on a
> simplified key validation
> scheme.  The basic idea is to connect a signature to
> an DNS entry.
> Our assumption is that DNS is secure and unforgeable
> - as of now it is
> not but eventually DNSSEC will get deployed to solve
> this and many other
> problems.
> Here is how it works:
> To create a signature on an email (or any other
> data) you would use:
>   gpg -s -Npka-address at at
> foo
> (add other options as you see fit). Now when someone
> wants to verify
> the signature he does it using the usual
>   gpg --verify foo.gpg
> gpg detects that foo.gpg has the notation key
> pka-address at
> and takes its value (werner at to run a
> DNS query like:
>   $ host -t txt
> text
> "v=pka1\;fpr=A4D94E92B0986AB5EE9DC\
>   D755DE249965B0358A2\;uri=finger:wk at"
> Now it compares the fingerprint given in that Text
> record against the
> one of the public key used to verify the signature. 
> If they match, it
> has been proved that the mail address
> werner at is a
> legitimate address in the domain  If
> not, someone tried
> to use a faked key. As of now we use the outcome of
> this test to
> change the validity status of the key either to FULL
> or to NEVER (if
> they don't match).
> A MUA - or an MTA - may now display the verified
> address
> werner at to the user and compare it to the
> From address.
> Will will likely add ptions to gpg to make this
> easier.
> As a bonus we also put the URI part into the TXT
> record to allow the
> specification of a keyserver or whatever to retrieve
> the public key.
> gpg uses this during signature verification as well
> when collecting
> the recipients of a message; i.e. if you use "-r
> joe at" it
> would try to locate a PKA record for joe
> ( and
> use this for key validation as well as to retrieve
> the key for joe.
> If you want to play with this feature, you need to
> build the latest
> Subversion of gpg and put
>   keyserver-options auto-pka-retrieve
> into your gpg.conf.  For real PKA records, replace
> by
>  If this all works out well, we might want
> to apply for a
> dedicated DNS record type instead of using TXT. The
> scheme may also be
> used for S/MIME.
> Shalom-Salam,
>    Werner
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the Gnupg-users mailing list