Keysigning challenge policies/procedures

Ingo Klöcker kloecker at
Fri Jul 7 10:36:07 CEST 2006

Am Freitag, 7. Juli 2006 06:31 schrieb Todd Zullinger:
> What I don't see in any of the links is more information about
> sending an email challenge before signing a key.  (My apologies if
> I'm overlooking it on your page or any of the others.)
> It's been discussed here before but I've not found any scripts or
> good details that I could point my fellow LUG members toward.

Try CA-Bot ( I haven't used it myself 
because I'm using a self-written script for creating challenges with 
KMail. But I've been sent a few challenges generated by CA-Bot. Last 
time I received such a message, it said (at least IIRC) that CA-Bot 
couldn't handle signed and/or encrypted replies. So using CA-Bot you 
can only check whether the person you send the challenge to can decrypt 
the challenge, but you can't check whether he also controls the signing 

> Isn't 
> it a good thing to send some random data to each UID on the key
> someone wishes you to sign and require that they send back that data
> signed by the key to prove they control both the key and the email
> address in the UID?

Where "control the email address" is different from "is the owner of the 
email address". Anybody between you and the owner of the email address 
can intercept the challenge, sign it and send it back to you. This is 
especially a problem with email addresses which don't contain the name, 
but just some random alias, nickname or whatever. tmz at could 
be anyone's email address.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20060707/86827b95/attachment.pgp

More information about the Gnupg-users mailing list