How to verify the e-mail address when certifying OpenPGP User IDs [was: Re: Signing a key (meaning)]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Apr 8 01:49:50 CEST 2011
On 04/07/2011 07:33 PM, takethebus at gmx.de wrote:
> The reason I asked this quetion is that I wonder how I can check whether the email address in the ID realy belongs to the keyowner.
The standard way i've seen e-mail address verification done is with caff
("certificate authority fire and forget") from the signing-party package
caff works like this:
0) during an in-person meeting, you verify the person's identity (often
by checking official ID) and get their claimed fingerprint. You note
this down in some way that you can unimpeachably retrieve it (e.g. on a
slip of paper, in your own handwriting, and that does not leave your
1) afterward, when you have some time, you take your piece of paper,
and for each fingerprint, run "caff $FINGERPRINT". caff presents you
with the person's name and claimed e-mail address. You verify the name,
and that the e-mail address seems at least plausible.
2) if you've said it seems ok, caff then makes an OpenPGP certification
on your behalf, creates an introductory e-mail message explaining what
this is, attaches the certification, encrypts the e-mail message to the
keyholder, and sends the e-mail. The certification stays in a special
caff-specific keyring (not your own everyday keyring).
If the keyholder actually does control the e-mail address in question,
they'll receive the message, decrypt it, and then be able to add your
certification to their own key. Then, if they choose, they can upload
your certification to the public keyserver (so you and everyone else can
see it) or they can mail it back to you (if they only want to complete
the handshake for you in particular, but want to keep the association
otherwise temporarily private).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1030 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users