email verification as casual checking?
Philip Jackson
philip.jackson at nordnet.fr
Sat Aug 23 12:56:11 CEST 2014
On 22/08/14 18:13, Nicolai Josuttis wrote:
> to deal with faked keys, some guys had the idea to use
> email verification and let then certification servers
> take that as "casual signing".
I take it that a 'faked key' in this context is one associated with an
unverified email address. If I send an encrypted message to that email address,
two possible outcomes occur to me :
- the email address belongs to some other person who does not control the key
and he can't open it. Not much problem here. My secret remains hidden.
- the email address belongs to a person who does control the key and he may or
may not be the person named in the email address. I am risking my secrets with
an unknown person. I had better take care of the nature of those secrets. It
looks like this is the case covered by your original post.
What extra security does a key server certification give in this case ? It just
says that if you use this key with this email address, the email will be
delivered to someone who controls both the address and the key.
In any case, there is always the possibility that this 'certified' person or key
is actually controlled by someone else. I have difficulty in seeing what
additional security is provided by a casual signature, given by a key-server or
by any other party.
Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x23543A63.asc
Type: application/pgp-keys
Size: 5190 bytes
Desc: not available
URL: </pipermail/attachments/20140823/c59e2f44/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140823/c59e2f44/attachment.sig>
More information about the Gnupg-users
mailing list