Several questions as feedback on gnupg

Ingo Klöcker
Wed Jan 23 21:38:02 2002

Hash: SHA1

On Wednesday 23 January 2002 19:53, Loic Bernable wrote:
> Selon Mark Brown :
> > When validating the user ID you should validate the whole of the
> > user ID, including the e-mail address portion.  Methods like
> > showing that encrypted mail to the e-mail address in the UID can be
> > read could be used.
> So your advice should be to send an encrypted email to the person who
> gave you his/her key, wait for his/her approval by email and *only*
> then sign his/her key, right ?

Do the following for each email address/UID on the key:
1. Generate some random text (it has to be different for each UID).
2. Send this random text to the keyowner in an encrypted message.
3. If the email address you sent the message to really belongs to the 
keyowner he'll receive the message, decrypt it, read it and reply to it 
quoting the secret random text.
4. Now you simply compare if the random text he quotes is the same that 
you sent to him.

By following this procedure you can assure that the keyowner has access 
to the email addresses listed as UIDs in his key.

The message you send to the keyowner could look like this:
- ----
You are being sent this mail because we exchanged PGP/GPG key
fingerprints at some point in the past.

Please decrypt the following message for instructions on how to
complete the certification protocoll.
- ---------Encrypted message-------------
This message is sent as part of my certification process.
It is to verify that you, the keyholder of 30E0B9D8
can read email sent to the associated address
Ingo H. Klöcker <>

Please, now that you have decrypted this message,
simply reply to
  <your email address>

| Key: 30E0B9D8
| Magic: <some random characters>
| Upload to keyservers: Yes

in the body of your mail.

If you asked me to certify more than one userid or email address
on your key you should receive one of these messages for each
address - in that case please send one reply per address, too.

If you do not want the signed key to be uploaded to the keyserver
network simply remove or change the line 'Upload to keyservers'.

  <your name>
- ---------------------------------------
- ----

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see