automated userid certifications (was Re: E-Mail Encryption: Why Isn't Everyone Doing It?)
Sat Oct 26 01:09:01 2002
Content-Type: text/plain; charset=us-ascii
On Fri, Oct 25, 2002 at 01:32:26PM -0400, David Shaw wrote:
> The basic idea was a web form where a user could paste their key or an
> email address to send it the key to. The program would then email a
> challenge string to each email address on the key. If the challenge
> came back signed by the user's key, then the program would sign that
> user ID with its own key.
(NB: http://biglumber.com/ doesn't sign keys, and AIUI there aren't any
plans for it to, but it does verify email addresses via challenge/response
Instead of trying to keep track of PGP keys making userid certifications
in automated systems, would a new signature class (0x14 - email address
verified via challenge/response) be advisable? I've already issued
a few 0x12 (casually checked) signatures instead of 0x13 (carefully
checked) signatures to handle this situation...
> first came up. I happen to have a bit more free time nowadays (I'm
(Are you sure you should be admitting to this? :)
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
firstname.lastname@example.org | web: http://jharris.cjb.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (FreeBSD)
-----END PGP SIGNATURE-----