Keysigning challenge policies/procedures
Ingo Klöcker
kloecker at kde.org
Fri Jul 7 10:36:07 CEST 2006
Am Freitag, 7. Juli 2006 06:31 schrieb Todd Zullinger:
> What I don't see in any of the links is more information about
> sending an email challenge before signing a key. (My apologies if
> I'm overlooking it on your page or any of the others.)
>
> It's been discussed here before but I've not found any scripts or
> good details that I could point my fellow LUG members toward.
Try CA-Bot (http://cabot.alioth.debian.org/). I haven't used it myself
because I'm using a self-written script for creating challenges with
KMail. But I've been sent a few challenges generated by CA-Bot. Last
time I received such a message, it said (at least IIRC) that CA-Bot
couldn't handle signed and/or encrypted replies. So using CA-Bot you
can only check whether the person you send the challenge to can decrypt
the challenge, but you can't check whether he also controls the signing
key.
> Isn't
> it a good thing to send some random data to each UID on the key
> someone wishes you to sign and require that they send back that data
> signed by the key to prove they control both the key and the email
> address in the UID?
Where "control the email address" is different from "is the owner of the
email address". Anybody between you and the owner of the email address
can intercept the challenge, sign it and send it back to you. This is
especially a problem with email addresses which don't contain the name,
but just some random alias, nickname or whatever. tmz at pobox.com could
be anyone's email address.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20060707/86827b95/attachment.pgp
More information about the Gnupg-users
mailing list