automated userid certifications (was Re: E-Mail Encryption: Why Isn't Everyone Doing It?)

Jason Harris
Sat Oct 26 01:09:01 2002

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 25, 2002 at 01:32:26PM -0400, David Shaw wrote:

> The basic idea was a web form where a user could paste their key or an
> email address to send it the key to.  The program would then email a
> challenge string to each email address on the key.  If the challenge
> came back signed by the user's key, then the program would sign that
> user ID with its own key.

(NB: doesn't sign keys, and AIUI there aren't any
plans for it to, but it does verify email addresses via challenge/response

Instead of trying to keep track of PGP keys making userid certifications
in automated systems, would a new signature class (0x14 - email address
verified via challenge/response) be advisable?  I've already issued
a few 0x12 (casually checked) signatures instead of 0x13 (carefully
checked) signatures to handle this situation...

> first came up.  I happen to have a bit more free time nowadays (I'm

(Are you sure you should be admitting to this?  :)

Jason Harris          | NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it? | web:

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.0 (FreeBSD)