Keysigning challenge policies/procedures

Marcus Frings iam-est-hora-surgere at
Fri Jul 7 11:19:47 CEST 2006

* Todd Zullinger <tmz at> wrote:

> What I don't see in any of the links is more information about sending
> an email challenge before signing a key.  (My apologies if I'm
> overlooking it on your page or any of the others.)

Before I used a protocol to signing keys where I sent out random strings
as challenge response but it's not worth. There is no enhanced security
and only more work for "signer" and "signee". If you send the signed UIDs
encrypted to each mail address separately it has the same effect in
security because if the mail address bounces or the person behind the
address doesn't have the private key your signed UIDs won't become
publicly available.

> It's been discussed here before but I've not found any scripts or good
> details that I could point my fellow LUG members toward.  Isn't it a
> good thing to send some random data to each UID on the key someone
> wishes you to sign and require that they send back that data signed by
> the key to prove they control both the key and the email address in
> the UID?

There are some scripts around but don't use CA-Bot as Ingo suggested. As
he has already said it has problems with so-called sign-only-keys and it
sends out broken mails. caff, from the same author, handles these keys
much better. It can be downloaded from the third link I
mentioned. Besides it is already available in Debian and FreeBSD.

"This elevator serves me alone. I have complete control over
this entire level. With cameras as my eyes and nodes as my
hands, I rule here, insect."
                                     (Shodan in System Shock)

More information about the Gnupg-users mailing list