How to verify the e-mail address when certifying OpenPGP User IDs [was: Re: Signing a key (meaning)]
takethebus at gmx.de
Fri Apr 8 02:05:44 CEST 2011
thanks for the answer, but it seems to me with this procedure you only
check whether the person has access to the email address, you
don't check whether this access is illegal, don't you?
-------- Original-Nachricht --------
> Datum: Thu, 07 Apr 2011 19:49:50 -0400
> Von: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> An: takethebus at gmx.de
> CC: GnuPG Users <gnupg-users at gnupg.org>
> Betreff: How to verify the e-mail address when certifying OpenPGP User IDs [was: Re: Signing a key (meaning)]
> On 04/07/2011 07:33 PM, takethebus at gmx.de wrote:
> > The reason I asked this quetion is that I wonder how I can check whether
> the email address in the ID realy belongs to the keyowner.
> The standard way i've seen e-mail address verification done is with caff
> ("certificate authority fire and forget") from the signing-party package
> in debian.
> caff works like this:
> 0) during an in-person meeting, you verify the person's identity (often
> by checking official ID) and get their claimed fingerprint. You note
> this down in some way that you can unimpeachably retrieve it (e.g. on a
> slip of paper, in your own handwriting, and that does not leave your
> physical possession).
> 1) afterward, when you have some time, you take your piece of paper,
> and for each fingerprint, run "caff $FINGERPRINT". caff presents you
> with the person's name and claimed e-mail address. You verify the name,
> and that the e-mail address seems at least plausible.
> 2) if you've said it seems ok, caff then makes an OpenPGP certification
> on your behalf, creates an introductory e-mail message explaining what
> this is, attaches the certification, encrypts the e-mail message to the
> keyholder, and sends the e-mail. The certification stays in a special
> caff-specific keyring (not your own everyday keyring).
> If the keyholder actually does control the e-mail address in question,
> they'll receive the message, decrypt it, and then be able to add your
> certification to their own key. Then, if they choose, they can upload
> your certification to the public keyserver (so you and everyone else can
> see it) or they can mail it back to you (if they only want to complete
> the handshake for you in particular, but want to keep the association
> otherwise temporarily private).
> Make sense?
More information about the Gnupg-users