Keysigning challenge policies/procedures

Todd Zullinger tmz at pobox.com
Fri Jul 7 16:56:10 CEST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ingo Klöcker wrote:
> Try CA-Bot (http://cabot.alioth.debian.org/).

Thanks Ingo.

> I haven't used it myself because I'm using a self-written script for
> creating challenges with KMail.

Could you elaborate a little on the procedure you use to generate the
challenges?  I'd love to have some examples of how other folks do
things to present to my fellow LUG members.

> But I've been sent a few challenges generated by CA-Bot. Last time I
> received such a message, it said (at least IIRC) that CA-Bot
> couldn't handle signed and/or encrypted replies. So using CA-Bot you
> can only check whether the person you send the challenge to can
> decrypt the challenge, but you can't check whether he also controls
> the signing key.

That's unfortunate, since the signature is more important than the
decryption, AFAIAC.  I'll take a look and see if CA-bot can't be
useful as a starting point for some scripts of my own.

>> Isn't it a good thing to send some random data to each UID on the
>> key someone wishes you to sign and require that they send back that
>> data signed by the key to prove they control both the key and the
>> email address in the UID?
> 
> Where "control the email address" is different from "is the owner of
> the email address". Anybody between you and the owner of the email
> address can intercept the challenge, sign it and send it back to
> you.

Of course, but they can't sign it with the key I've been asked to sign
and which I verified from the key fingerprint and other owner details,
unless they are the proper owner of that key.

> This is especially a problem with email addresses which don't
> contain the name, but just some random alias, nickname or whatever.
> tmz at pobox.com could be anyone's email address.

Right.  But if we met in person and I showed you acceptable ID,
provided you with the key fingerprint and other key data, then
returned a challenge from you signed using the key matching the
fingerprint that you verified in our meeting, you know that I am in
control of the key and that I can get mail at tmz at pobox.com.
Obviously, others can read mail there too and that's why I'm using GPG
to ensure that I'm the only one that will be able to decipher mail
sent to that address and generate verifiable email from that address.

Thanks,

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
You will never find time for anything.  If you want time you must make
it.
    -- Charles Buxton

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSudgomGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qhDQCg113UiRsz5aUYeNGvRWOQdOHRzT0AnAnXloPp
xhBU91pupwwlzXFTFOjm
=xk6i
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list