automated userid certifications (was Re: E-Mail Encryption: Why Isn't Everyone Doing It?)

David Shaw
Sat Oct 26 01:22:01 2002

On Fri, Oct 25, 2002 at 07:09:42PM -0400, Jason Harris wrote:
> On Fri, Oct 25, 2002 at 01:32:26PM -0400, David Shaw wrote:
> > The basic idea was a web form where a user could paste their key or an
> > email address to send it the key to.  The program would then email a
> > challenge string to each email address on the key.  If the challenge
> > came back signed by the user's key, then the program would sign that
> > user ID with its own key.
> (NB: doesn't sign keys, and AIUI there aren't any
> plans for it to, but it does verify email addresses via challenge/response
> now.)
> Instead of trying to keep track of PGP keys making userid certifications
> in automated systems, would a new signature class (0x14 - email address
> verified via challenge/response) be advisable?  I've already issued
> a few 0x12 (casually checked) signatures instead of 0x13 (carefully
> checked) signatures to handle this situation...

I'd rather use 0x11, as a new signature class would have a serious
backwards compatibility problem.  0x11 is pretty good for this


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson