email verification as casual checking?

Robert J. Hansen rjh at
Fri Aug 22 20:03:04 CEST 2014

> to deal with faked keys, some guys had the idea to use email
> verification and let then certification servers take that as "casual
> signing".

I think the first people to do this were at PGP Security (pre-PGP
Corporation; this was when PGP Security was owned by Network
Associates).  The PGP Global Directory worked basically this way.

> The big disadvantage beside some details (such as registering 
> additional email addresses) is probably that PGP signatures usually
> sign the owner, not his/her email address, if I understood it
> correctly.

Not necessarily so.  The RFCs define syntax for signatures, but not
semantics.  The semantics are left up to each individual user to determine.

> What do you think about this idea? Was it ever discussed?

Not only was it discussed, it was implemented and ran for years.  The
Global Directory may still be running, for all I know.

However, the Global Directory didn't really solve any of PGP's usability
problems.  Was it worth doing?  Yes.  Did it live up to the hopes people
had for it?  Not really.

More information about the Gnupg-users mailing list