Keysigning challenge policies/procedures

Todd Zullinger tmz at
Fri Jul 7 22:15:03 CEST 2006

Hash: SHA1

Ingo Klöcker wrote:
> On Friday 07 July 2006 17:09, Todd Zullinger wrote:
>> But that does mean that you can't get a signed key to someone if
>> the key you've signed doesn't have any encryption capabilities,
>> correct?
> That's obviously correct. In this case you could give the key owner
> a piece of paper with a random string and ask him to send it in a
> signed message to your email address. Then you know that he can use
> this key for signing messages. Obviously, you can't check the
> validity of the email addresses belonging to this key (unless he's
> got an encryption key you can use for checking the addresses).

Is it really necessary to encrypt the challenge?  If the key has
encryption capabilities, I would do so, but if it was a sign only key
and I could not do so, just what sort of attacks or weaknesses are
there in sending the challenge in the clear?  I've seen David Shaw
point out that it didn't gain you much.  I'm just trying to work
through the possible scenarios so I have them clear in my mind before
trying to present this to a larger group, who may well end up with
questions on this that I'd like to have better answers for than I do

>> Have you found in practice that you don't run into many sign-only
>> keys that you are asked to certify?
> Among a few hundreds keys I've signed so far only a handful were
> sign-only or certification-only keys. I did simply sign them with a
> lower verification level.

Okay.  I would have guessed that you probably wouldn't run into
terribly many keys like this, but thank you for giving some practical
experience to support this.

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL:
...unfortunately, we can't control the actions of everyone.
    -- Bill Clinton, April 20, 1993

Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.


More information about the Gnupg-users mailing list