Driving licence as identification and accepting signed keys without exchanging encrypted data

Atom Smasher atom at smasher.org
Tue Jul 25 08:43:50 CEST 2006

On Mon, 24 Jul 2006, David Shaw wrote:

> Note that there is a difference between what page at 
> http://www.hantslug.org.uk/cgi-bin/wiki.pl?LinuxHints/KeySigning says 
> and what you say above.  The page (correctly) notes that all that is 
> necessary is that the person *sign* the challenge before sending it back 
> to you.  The page makes clear ("encrypted, if you like") that encryption 
> is optional here, and adds little to what you are trying to prove.  It 
> doesn't matter if other people can read the signed challenge or not. 
> Of course, it doesn't hurt to encrypt, so long as it is understood that 
> it doesn't really help either.

other than adding an extra step to the process, what is gained by signing 
a challenge instead of encrypting a key certification (key signature) to 
the recipient's public key?

assuming that the primary key is the signing key, the protocol outlined in 
the link, above, does NOT demonstrate that the recipient controls the 
private half of the encryption subkey.

if, instead, the signed key is encrypted to the recipient, the key 
signature is only useful AFTER the recipient has proven their control of 
the private encryption key... this protocol simultaneously demonstrates 
their control of the primary key (used to self-sign the UID and encryption 
subkey) and email address.


  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

 	"Nationalism is the childness sickness of Man.
 	 It is the whooping cough of adults"
 		-- Albert Einstein

More information about the Gnupg-users mailing list