automated userid certifications (was Re: E-Mail Encryption: Why Isn't Everyone Doing It?)
David Shaw
dshaw@jabberwocky.com
Sat Oct 26 01:22:01 2002
On Fri, Oct 25, 2002 at 07:09:42PM -0400, Jason Harris wrote:
> On Fri, Oct 25, 2002 at 01:32:26PM -0400, David Shaw wrote:
>
> > The basic idea was a web form where a user could paste their key or an
> > email address to send it the key to. The program would then email a
> > challenge string to each email address on the key. If the challenge
> > came back signed by the user's key, then the program would sign that
> > user ID with its own key.
>
> (NB: http://biglumber.com/ doesn't sign keys, and AIUI there aren't any
> plans for it to, but it does verify email addresses via challenge/response
> now.)
>
> Instead of trying to keep track of PGP keys making userid certifications
> in automated systems, would a new signature class (0x14 - email address
> verified via challenge/response) be advisable? I've already issued
> a few 0x12 (casually checked) signatures instead of 0x13 (carefully
> checked) signatures to handle this situation...
I'd rather use 0x11, as a new signature class would have a serious
backwards compatibility problem. 0x11 is pretty good for this
purpose.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson