Keysigning challenge policies/procedures
tmz at pobox.com
Fri Jul 7 17:09:55 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Marcus Frings wrote:
> * Todd Zullinger <tmz at pobox.com> wrote:
>> What I don't see in any of the links is more information about
>> sending an email challenge before signing a key. (My apologies if
>> I'm overlooking it on your page or any of the others.)
> Before I used a protocol to signing keys where I sent out random
> strings as challenge response but it's not worth. There is no
> enhanced security and only more work for "signer" and "signee". If
> you send the signed UIDs encrypted to each mail address separately
> it has the same effect in security because if the mail address
> bounces or the person behind the address doesn't have the private
> key your signed UIDs won't become publicly available.
But that does mean that you can't get a signed key to someone if the
key you've signed doesn't have any encryption capabilities, correct?
Unless, of course, you have told the signee that they must provide you
with a key which they wish to have the signed keys encrypted to.
Have you found in practice that you don't run into many sign-only
keys that you are asked to certify?
> There are some scripts around but don't use CA-Bot as Ingo
> suggested. As he has already said it has problems with so-called
> sign-only-keys and it sends out broken mails. caff, from the same
> author, handles these keys much better. It can be downloaded from
> the third link I mentioned. Besides it is already available in
> Debian and FreeBSD.
Thanks, I'll look closer at caff. I didn't pull down the package and
play with it yet.
Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
You're not drunk if you can lie on the floor without holding on.
-- Dean Martin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.
-----END PGP SIGNATURE-----
More information about the Gnupg-users