Keysigning challenge policies/procedures

[Todd Zullinger]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marcus Frings wrote:
> * Todd Zullinger <tmz at pobox.com> wrote:
> 
>> I was wondering if some folks here have detailed their challenge
>> policies and procedures and if you'd mind sharing them if you have?
>> Even handier would be some scripts to help in the automation of this
>> task.  ;)
> 
> http://www.sc-delphin-eschweiler.de/pgp/
> http://sion.quickie.net/keysigning.txt
> http://pgp-tools.alioth.debian.org/

Thank you Marcus.  I had actually found your page while doing some
research and read it.  Very nicely outlined.  Thank you for sharing it
with the world.

I believe that we will be using the method outlined in Len Sassaman's
and Phil Zimmermann's paper from above.  This too I had read while
researching this earlier.  (It's good to know I've run across some of
the same info you recommend. :)

What I don't see in any of the links is more information about sending
an email challenge before signing a key.  (My apologies if I'm
overlooking it on your page or any of the others.)

It's been discussed here before but I've not found any scripts or good
details that I could point my fellow LUG members toward.  Isn't it a
good thing to send some random data to each UID on the key someone
wishes you to sign and require that they send back that data signed by
the key to prove they control both the key and the email address in
the UID?

Many thanks for the helpful information,

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
Money can't buy happiness, but it sure makes living in misery easier.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSt44gmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qEygCbBVGaCdjOa7MJ9gjkdRphpmz/Rx8AoO7Fh4Zd
/pIdv/NHTQTTvue9nY2r
=O8C/
-----END PGP SIGNATURE-----