re. Moving from PGP to GnuPG and other questions ...
Josh Huber
huber+gpg at alum.wpi.edu
Thu Apr 29 22:49:54 CEST 2004
Jeff Fisher <jeff+gnupg at jeffenstein.org> writes:
> [...]
> There is also the e-mail address in the user id field, which should
> be unique and relatively constant, but little or none of the
> information on signing keys mentions verifying that the e-mail
> address is actually this person. Yes, it's possible that someone
> else will take that e-mail address, but if several e-mail addresses
> are listed on the key, you can be relatively sure that you can still
> reach the person.
Before I sign someone's key, I like to verify the email addresses
associated with each UID. I do this with a small emacs "plugin" which
uses Gnus to generate and send encrypted challenge messages to each
uid, given a keyid.
It's here: http://www.paradoxical.net/~huber/gpg-party.el
For each uid, I generate a random challenge string. I'll only sign
a uid if I get a matching challenge string back.
Maybe this is overkill, but I like it!
--
Josh Huber
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : /pipermail/attachments/20040429/867a5663/attachment.bin
More information about the Gnupg-users
mailing list