Web Key Directory

Werner Koch wk at gnupg.org
Fri May 13 12:48:59 CEST 2016

On Thu, 12 May 2016 14:37, bernhard at intevation.de said:

> But it shows ownership of the email account.

It shows that you have the credentials.  It does not prove that you have
access to your mail account.  There may be further restrictions to
access the mails.

> With showing it by credentials it may save the crypto processing side
> of the server to construct, safe and confirm a challenge. Otherwise

Without a challenge you can't prove that you are in possession of the
mail account.

> If one out of 10.000 users has this issue, he will be of subset of 
> archetype "Bob" (from https://wiki.gnupg.org/EasyGpg2016/VisionAndStories)
> and we should probably not design for it. Bob could just use the WoT.

Air-gaping and selecting the trust model are orthogonal.  You use an
air-gap to mitigate attacks on the software you are running.  The trust
model is used to confirm the identify of your communication partners.

> The protocol can be designed in a way that if Bob wants to he can:
> Take the challenge carry it over to a different machine, solve it there and 
> then take it back and transmit back with TLS.

Right, a store and forward system, i.e. mail.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
    /* EFH in Erkrath: https://alt-hochdahl.de/haus */

More information about the Gnupg-devel mailing list