email verification as casual checking?

Nicolai Josuttis nico.josuttis at t-online.de
Fri Aug 22 18:13:54 CEST 2014


Hi,

to deal with faked keys, some guys had the idea to use
email verification and let then certification servers
take that as "casual signing".

For example:
- Some guy might create a key using a mail client
- That key is then automatically sent by the email client
  to a server, which can be used as key server
- The key server sends a confirmation request to the email
  address(es) of the registered key
- If the confirmation recipient confirms that he/she registered
  the key, the key server certifies this key as casual checked.

THAT IS, the key server would automatically certify the correctness
of the association between the key and the email address as casual signing.

The big advantage would be to have a simple way to validate
keys.
The big disadvantage beside some details (such as registering
additional email addresses) is probably that PGP signatures
usually sign the owner, not his/her email address,
if I understood it correctly.
Although regarding signature types, we state in RFC4880:
> Please note that the vagueness of these meanings is not a flaw,
> but a feature of the system.
But we could mark this kind of automatically certifying key server as
special so that people (are able to) know what they do
when they trust this key server and therefore its casual signed keys.

What do you think about this idea?
Was it ever discussed?

-- 
Nicolai M. Josuttis
www.josuttis.de
PGP Fingerprint: EA25 EF48 BF20 01E4 1FAB 0C1C DEF9 FC80 8A1C 44D0





More information about the Gnupg-users mailing list