E-Mail Encryption: Why Isn't Everyone Doing It?

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Tue Oct 29 09:43:01 2002

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Fri, 2002-10-25 at 19:32, David Shaw wrote:

> The basic idea was a web form where a user could paste their key or an
> email address to send it the key to.  The program would then email a
> challenge string to each email address on the key.  If the challenge
> came back signed by the user's key, then the program would sign that
> user ID with its own key.

0x11 signatures were mentioned, I'd agree to that. Also, policy URLs
(With the openpgp standard purposely /not/ defining the meaning of a
signature, I feel that every signature should have a policy URL (or some
other way of stating what it means).

I'd propose that the CA-bot only sign userids with *only* the email
address, to make it clear that no binding between email address and any
real name is confirmed. But I wouldn't recommend requiring any special
comment on the userid - the userid should be usable to collect other
signatures on it as well.

> One gotcha we can avoid, if there are multiple levels of certification
> in the future, is to use a different signing key for each.  That way
> users can trust the signing key for the exact service they want.  I
> understand Thawte got this detail wrong when they set up their PGP
> signing service.

I'd prefer multiple signing keys over the 0x[123] signature thing, too.
The default userid of the key should make it clear which certification
was issued.

-- vbi

this email is protected by a digital signature:  http://fortytwo.ch/gpg

NOTE: keyserver bugs! get my key here: https://fortytwo.ch/gpg/92082481

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.0.7 (GNU/Linux)

Signature policy: http://fortytwo.ch/gpg/policy/email.20020822