automated userid certifications (was Re: E-Mail Encryption: Why Isn't Everyone Doing It?)
Jason Harris
jharris@widomaker.com
Sat Oct 26 01:09:01 2002
--Izn7cH1Com+I3R9J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Oct 25, 2002 at 01:32:26PM -0400, David Shaw wrote:
> The basic idea was a web form where a user could paste their key or an
> email address to send it the key to. The program would then email a
> challenge string to each email address on the key. If the challenge
> came back signed by the user's key, then the program would sign that
> user ID with its own key.
(NB: http://biglumber.com/ doesn't sign keys, and AIUI there aren't any
plans for it to, but it does verify email addresses via challenge/response
now.)
Instead of trying to keep track of PGP keys making userid certifications
in automated systems, would a new signature class (0x14 - email address
verified via challenge/response) be advisable? I've already issued
a few 0x12 (casually checked) signatures instead of 0x13 (carefully
checked) signatures to handle this situation...
> first came up. I happen to have a bit more free time nowadays (I'm
(Are you sure you should be admitting to this? :)
--=20
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com | web: http://jharris.cjb.net/
--Izn7cH1Com+I3R9J
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (FreeBSD)
iD8DBQE9uc81SypIl9OdoOMRAur8AJ0ePknSi8Yb34fSxf5v5+ToKSa0zwCffdTP
OLr1APgkIzVFeYz6UzgbDXc=
=4tgG
-----END PGP SIGNATURE-----
--Izn7cH1Com+I3R9J--