How to verify the e-mail address when certifying OpenPGP User IDs [was: Re: Signing a key (meaning)]

Daniel Kahn Gillmor dkg at
Fri Apr 8 02:32:13 CEST 2011

On 04/07/2011 08:05 PM, Jan Janka wrote:
> thanks for the answer, but it seems to me with this procedure you only
> check    whether    the  person  has  access to the email address, you
> don't check whether this access is illegal, don't you?

I have made no claims anywhere about legality or illegality (i also
haven't specified legal jurisdiction, for that matter).

Do you mean "should legitimately have access", or something like that?

The verification test caff proposes is "Does the keyholder have the
ability to read mail sent to the address in the User ID?".  This is
pretty close to what i want to know, actually.

It does not try to test things like "does the e-mail address in question
use a good passphrase for access" or "is it hosted on a reliable mail
host" or "are all steps of SMTP delivery STARTTLS-capable using X.509
certificates with sensible trust anchors" or "is legally-entitled to
under US law".  These other tests are all rather subjective, potentially
impossible to automate, and of dubious usefulness anyway.

So i'm pretty happy with the caff methodology, though i'd be open to
hearing other concrete proposals that answer relatively clear-cut questions.

I do have some problems with the caff user interface, but that's another
story :/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110407/e48f7d96/attachment.pgp>

More information about the Gnupg-users mailing list