Keysigning challenge policies/procedures

Todd Zullinger tmz at
Fri Jul 7 17:09:55 CEST 2006

Hash: SHA1

Marcus Frings wrote:
> * Todd Zullinger <tmz at> wrote:
>> What I don't see in any of the links is more information about
>> sending an email challenge before signing a key.  (My apologies if
>> I'm overlooking it on your page or any of the others.)
> Before I used a protocol to signing keys where I sent out random
> strings as challenge response but it's not worth. There is no
> enhanced security and only more work for "signer" and "signee". If
> you send the signed UIDs encrypted to each mail address separately
> it has the same effect in security because if the mail address
> bounces or the person behind the address doesn't have the private
> key your signed UIDs won't become publicly available.

But that does mean that you can't get a signed key to someone if the
key you've signed doesn't have any encryption capabilities, correct?
Unless, of course, you have told the signee that they must provide you
with a key which they wish to have the signed keys encrypted to.

Have you found in practice that you don't run into many sign-only
keys that you are asked to certify?

> There are some scripts around but don't use CA-Bot as Ingo
> suggested. As he has already said it has problems with so-called
> sign-only-keys and it sends out broken mails. caff, from the same
> author, handles these keys much better. It can be downloaded from
> the third link I mentioned. Besides it is already available in
> Debian and FreeBSD.

Thanks, I'll look closer at caff.  I didn't pull down the package and
play with it yet.

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL:
You're not drunk if you can lie on the floor without holding on.
    -- Dean Martin

Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.


More information about the Gnupg-users mailing list