How to verify the e-mail address when certifying OpenPGP User IDs [was: Re: Signing a key (meaning)]

Jan Janka takethebus at
Fri Apr 8 02:05:44 CEST 2011

Hi Daniel,

thanks for the answer, but it seems to me with this procedure you only
check    whether    the  person  has  access to the email address, you
don't check whether this access is illegal, don't you?

Tace care,

-------- Original-Nachricht --------
> Datum: Thu, 07 Apr 2011 19:49:50 -0400
> Von: Daniel Kahn Gillmor <dkg at>
> An: takethebus at
> CC: GnuPG Users <gnupg-users at>
> Betreff: How to verify the e-mail address when certifying OpenPGP User IDs [was: Re: Signing a key (meaning)]

> On 04/07/2011 07:33 PM, takethebus at wrote:
> > The reason I asked this quetion is that I wonder how I can check whether
> the email address in the ID realy belongs to the keyowner. 
> The standard way i've seen e-mail address verification done is with caff
> ("certificate authority fire and forget") from the signing-party package
> in debian.
> caff works like this:
>  0) during an in-person meeting, you verify the person's identity (often
> by checking official ID) and get their claimed fingerprint.  You note
> this down in some way that you can unimpeachably retrieve it (e.g. on a
> slip of paper, in your own handwriting, and that does not leave your
> physical possession).
>  1) afterward, when you have some time, you take your piece of paper,
> and for each fingerprint, run "caff $FINGERPRINT".  caff presents you
> with the person's name and claimed e-mail address.  You verify the name,
> and that the e-mail address seems at least plausible.
>  2) if you've said it seems ok, caff then makes an OpenPGP certification
> on your behalf, creates an introductory e-mail message explaining what
> this is, attaches the certification, encrypts the e-mail message to the
> keyholder, and sends the e-mail.  The certification stays in a special
> caff-specific keyring (not your own everyday keyring).
> If the keyholder actually does control the e-mail address in question,
> they'll receive the message, decrypt it, and then be able to add your
> certification to their own key.  Then, if they choose, they can upload
> your certification to the public keyserver (so you and everyone else can
> see it) or they can mail it back to you (if they only want to complete
> the handshake for you in particular, but want to keep the association
> otherwise temporarily private).
> Make sense?
> 	--dkg

More information about the Gnupg-users mailing list