Keysigning challenge policies/procedures

Ingo Klöcker kloecker at kde.org
Fri Jul 7 20:39:37 CEST 2006 

On Friday 07 July 2006 17:09, Todd Zullinger wrote:
> Marcus Frings wrote:
> > * Todd Zullinger <tmz at pobox.com> wrote:
> >> What I don't see in any of the links is more information about
> >> sending an email challenge before signing a key.  (My apologies if
> >> I'm overlooking it on your page or any of the others.)
> >
> > Before I used a protocol to signing keys where I sent out random
> > strings as challenge response but it's not worth. There is no
> > enhanced security and only more work for "signer" and "signee". If
> > you send the signed UIDs encrypted to each mail address separately
> > it has the same effect in security because if the mail address
> > bounces or the person behind the address doesn't have the private
> > key your signed UIDs won't become publicly available.
>
> But that does mean that you can't get a signed key to someone if the
> key you've signed doesn't have any encryption capabilities, correct?

That's obviously correct. In this case you could give the key owner a 
piece of paper with a random string and ask him to send it in a signed 
message to your email address. Then you know that he can use this key 
for signing messages. Obviously, you can't check the validity of the 
email addresses belonging to this key (unless he's got an encryption 
key you can use for checking the addresses).

But in case of a certification-only key even that won't work.

> Unless, of course, you have told the signee that they must provide
> you with a key which they wish to have the signed keys encrypted to.
>
> Have you found in practice that you don't run into many sign-only
> keys that you are asked to certify?

Among a few hundreds keys I've signed so far only a handful were 
sign-only or certification-only keys. I did simply sign them with a 
lower verification level.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20060707/24bb7b4e/attachment.pgp

More information about the Gnupg-users mailing list