Proof of email ownership
sk4list at yahoo.com
Sun Aug 7 16:17:13 CEST 2005
How would this work out for people who do not have
control over the DNS record of domains? Best examples
are free email services like hotmail and gmail?
--- Werner Koch <wk at gnupg.org> wrote:
> Let me note that I am currently working on a
> simplified key validation
> scheme. The basic idea is to connect a signature to
> an DNS entry.
> Our assumption is that DNS is secure and unforgeable
> - as of now it is
> not but eventually DNSSEC will get deployed to solve
> this and many other
> Here is how it works:
> To create a signature on an email (or any other
> data) you would use:
> gpg -s -Npka-address at gnupg.org=werner at example.org
> (add other options as you see fit). Now when someone
> wants to verify
> the signature he does it using the usual
> gpg --verify foo.gpg
> gpg detects that foo.gpg has the notation key
> pka-address at gnupg.org
> and takes its value (werner at example.org) to run a
> DNS query like:
> $ host -t txt werner._pka.example.org
> werner._pka.example.org text
> D755DE249965B0358A2\;uri=finger:wk at example.com"
> Now it compares the fingerprint given in that Text
> record against the
> one of the public key used to verify the signature.
> If they match, it
> has been proved that the mail address
> werner at example.org is a
> legitimate address in the domain example.org. If
> not, someone tried
> to use a faked key. As of now we use the outcome of
> this test to
> change the validity status of the key either to FULL
> or to NEVER (if
> they don't match).
> A MUA - or an MTA - may now display the verified
> werner at example.org to the user and compare it to the
> From address.
> Will will likely add ptions to gpg to make this
> As a bonus we also put the URI part into the TXT
> record to allow the
> specification of a keyserver or whatever to retrieve
> the public key.
> gpg uses this during signature verification as well
> when collecting
> the recipients of a message; i.e. if you use "-r
> joe at example.org" it
> would try to locate a PKA record for joe
> (joe._pka.example.org) and
> use this for key validation as well as to retrieve
> the key for joe.
> If you want to play with this feature, you need to
> build the latest
> Subversion of gpg and put
> keyserver-options auto-pka-retrieve
> into your gpg.conf. For real PKA records, replace
> example.org by
> fsfe.org. If this all works out well, we might want
> to apply for a
> dedicated DNS record type instead of using TXT. The
> scheme may also be
> used for S/MIME.
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
More information about the Gnupg-devel