Opportunistic Encryption

Yenot yenot@sec.to
Wed May 21 14:17:39 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 16 May 2003 02:19 pm, Per Tunedal wrote:
>
> I would like to add automatic use of robot-CA:s to the scheme. It's
> a simple way of tieing a key to an e-mail address:
> - the user just generates a key
> - the client sends it to a robot-CA
> - the robot CA signs the key, encrypts it with the same key and
> returns it to all e-mail addresses used in the userid.
> - the encrypted message from the robot-CA is received, decrypted,
> the signed key is imported to the keyring and sent to at least one
> keyserver.

I intentionally left the robot-CA out of my proposal. Original post 
here:
 http://marc.theaimsgroup.com/?l=gnupg-users&m=105303925223294&w=2

With the public keyservers, robot verification serves a greater 
purpose.  Any moron can upload 1000 bogus keys for your e-mail 
address to the public keyservers. Those keys will stay on the servers 
forever. The robot-CA provides a way of getting around this 
non-temporary DOS attack.  

The main objection people had to the robot-CA, was that it added more 
risk and complexity to an already complex system.  To me, this is/was 
a valid complaint, so I protocol I sketched out reduces complexity 
and infrastructure by eliminating the problematic public keyservers 
altogether.

Since full key exchange occurs over the course of 3 messages (1.5 
round trips I should have written in the original message), your 
assurance that addresses and keys correlate is already high.  For 
further assurance, key exchange was made as simple as possible.

 - Yenot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+yXPTP247TY29IxARAprGAJ9sGXspH7DVFQL1CzA/QbPlcl6yLgCfW8ma
umC0msetKTmdgNk6QJ1IK+g=
=hcqn
-----END PGP SIGNATURE-----