Proof of possession when exchanging keys

Thomas Harning Jr. harningt at gmail.com
Fri Nov 15 17:02:33 CET 2013


The general practice I follow is to verify fingerprint and ID separately
then, in order to verify control of email address and private key, send the
signed ID encrypted to the provided email address.



On Wed, Nov 13, 2013 at 11:49 AM, Phil Calvin <phil at philcalvin.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I seem to recall reading somewhere that when exchanging keys in
> person, you should not only have the person verify the key
> fingerprint, but you should also present them with 1) an unpredictable
> challenge document to sign or 2) verify that they can decrypt an
> encrypted message using the key in question. This would ensure they
> have access to the secret half of the keypair in question.
>
> Is verifying proof of possession necessary or good practice, or is
> checking fingerprints (and, when you don't know the person, photo ID
> or similar) enough?
>
> Phil
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (Darwin)
>
> iQIcBAEBAgAGBQJSg62LAAoJEDe3IfDa5pYf6jwP/ApNoDfMbn3RtF8m494BAOFj
> 4S1EcJD+hn0nIhwABsZSpR3JsIFdK+5Sc4LDT2RnEmBhvo21Bn6l1W8GyCmbKqbA
> GOSPNBdSWLmnyNMQfOQ4pzKIyexs0qM610BG81pZaIEiDPTpNJxkZt1Uu4/Xlfvo
> mVnxf06tfp7h4ue04gznrKpAAKWPO7OG9XukCe93QxuOuP9L7B83jYQsg/wMBaFS
> x3smYgHfM8wrm4tsenbmnq8rCAMrZunl9n/BERjITcjQSPD8vZY5Ko81YyW47Fel
> qyiIVVJR6/xW0+LHLn3dx5Uyj3Da/vdfK43GKc5YDp76XdrMkk1Ts/KobfmgilGI
> WuWZesFlKb5zij93rKCIiEoKxkDnX3QvfgertXeHxZwsnEdxJyEtoGHDgb3lV0Gl
> jgaw/iWdJ9cJJIT8tIhvl6SMLV0Wa61OSjDk5XvfppFKU7WncqRn4UGjJKR1Q+9P
> ik7q2eyG6TjqtW3FTLCO165q/QF2BvWGDvoHqcymaw3Q1SzKKZ/Kq5L7kAc9UGXZ
> diZ3NOCZfPf608fqFF37zgZZlNVsbkThQcN4xhjqBoxeqch/0quvRXM/nWBnTXAk
> HDHe2DW3vy+BJ7wT1JKyAPKr19LNKvNlKi5og/4/3+FfVFELisgphUY+kf0m2Ops
> GzTfJIrwHTmwatg8rS4+
> =4ll+
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
Thomas Harning Jr. (http://about.me/harningt)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20131115/b260ba5f/attachment.html>


More information about the Gnupg-users mailing list