Driving licence as identification and accepting signed keys
without exchanging encrypted data
atom at smasher.org
Tue Jul 25 08:43:50 CEST 2006
On Mon, 24 Jul 2006, David Shaw wrote:
> Note that there is a difference between what page at
> http://www.hantslug.org.uk/cgi-bin/wiki.pl?LinuxHints/KeySigning says
> and what you say above. The page (correctly) notes that all that is
> necessary is that the person *sign* the challenge before sending it back
> to you. The page makes clear ("encrypted, if you like") that encryption
> is optional here, and adds little to what you are trying to prove. It
> doesn't matter if other people can read the signed challenge or not.
> Of course, it doesn't hurt to encrypt, so long as it is understood that
> it doesn't really help either.
other than adding an extra step to the process, what is gained by signing
a challenge instead of encrypting a key certification (key signature) to
the recipient's public key?
assuming that the primary key is the signing key, the protocol outlined in
the link, above, does NOT demonstrate that the recipient controls the
private half of the encryption subkey.
if, instead, the signed key is encrypted to the recipient, the key
signature is only useful AFTER the recipient has proven their control of
the private encryption key... this protocol simultaneously demonstrates
their control of the primary key (used to self-sign the UID and encryption
subkey) and email address.
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
"Nationalism is the childness sickness of Man.
It is the whooping cough of adults"
-- Albert Einstein
More information about the Gnupg-users