E-Mail Encryption: Why Isn't Everyone Doing It?
Adrian 'Dagurashibanipal' von Bidder
Tue Oct 29 09:43:01 2002
On Fri, 2002-10-25 at 19:32, David Shaw wrote:
> The basic idea was a web form where a user could paste their key or an
> email address to send it the key to. The program would then email a
> challenge string to each email address on the key. If the challenge
> came back signed by the user's key, then the program would sign that
> user ID with its own key.
0x11 signatures were mentioned, I'd agree to that. Also, policy URLs
(With the openpgp standard purposely /not/ defining the meaning of a
signature, I feel that every signature should have a policy URL (or some
other way of stating what it means).
I'd propose that the CA-bot only sign userids with *only* the email
address, to make it clear that no binding between email address and any
real name is confirmed. But I wouldn't recommend requiring any special
comment on the userid - the userid should be usable to collect other
signatures on it as well.
> One gotcha we can avoid, if there are multiple levels of certification
> in the future, is to use a different signing key for each. That way
> users can trust the signing key for the exact service they want. I
> understand Thawte got this detail wrong when they set up their PGP
> signing service.
I'd prefer multiple signing keys over the 0x signature thing, too.
The default userid of the key should make it clear which certification
this email is protected by a digital signature: http://fortytwo.ch/gpg
NOTE: keyserver bugs! get my key here: https://fortytwo.ch/gpg/92082481
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/gpg/policy/email.20020822