trust your corporation for keyowner identification?
expires2013 at ymail.com
Mon Nov 4 17:02:00 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
On Sunday 3 November 2013 at 2:08:15 AM, in
<mid:5275B00F.7030404 at gmail.com>, Paul R. Ramer wrote:
> When you verify a key to sign you are verifying the following:
> 1) For each UID, that the name is correct and that the
> purported owner has control of the email in that UID
> (possibly also verifying the comment if it contains
> something such as "CEO ABC Corporation"). 2) That the
> purported owner has control of the key and can decrypt
> and sign messages.
> For #1, it is possible that the user has no name or
> email address in the UID(s). Either way, you need to
> verify the details of the UIDs that you intend to sign.
> For #2, you need to verify the key fingerprint,
> algorithm, and key size (but the fingerprint at a
> minimum) and then have the user demonstrate that he can
> decrypt a message encrypted with the key in question
> and also sign with it. This can be done by sending a
> message of unknown content (from the purported key
> owner's perspective) to him to each email that he
> claims to have in each of his UIDs (provided he has
> any) and require him to reply with a signed copy of the
> decrypted message. This serves to verify the control
> of the key and the email addresses.
Why do we need to establish they can also sign? Isn't it enough to
demonstrate they control the email address and can decrypt, by signing
one UID at a time and sending that signed copy of the key in an
encrypted email to the address in that UID?
And as an aside, does it really make a difference to only sign some
UIDs and not others? Does GnuPG actually take account of which UIDs
are signed in its validity or trust calculations?
MFPA mailto:expires2013 at ymail.com
Life is far too important a thing ever to talk seriously about
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users