email verification as casual checking?
mbauer at mailbox.org
Sat Aug 23 17:06:42 CEST 2014
* Nicolai Josuttis wrote on Fri, 22 Aug 2014, at 18:13 (+0200):
> to deal with faked keys, some guys had the idea to use email
> verification and let then certification servers take that as
> "casual signing". [...] What do you think about this idea?
> Was it ever discussed?
this has already been implemented and improved by CAcert:
Fundamentally, CAcert is known for (a) issuing X.509 certificates
to its members and for (b) building and operating a large Web of
Trust. I think, (b) is more important. Also, CAcert offers the
possibility to certify the user IDs of its members' OpenPGP keys.
This basically works as follows:
- First, you have to create a CAcert account. This requires an
email address which is verified to be under your control.
- Then you try to get your identity assured. You meet
face-to-face with at least two assurers and present them at
least one (two are preferred) photo IDs issued by a
government. Depending on the assurers' experience you receive
so called assurance points.
- If you have collected 50+ assurance points, you could get your
OpenPGP key's user ID(s) certified automatically. This
certification expires after one year and is a generic one
(0x10) instead of a casual one (0x12) (RFC 4880). See my key
- Of course, you can add additional verified(!) email addresses
and also get them certified.
I think, this process is far better than any mere email address
validation service because OpenPGP certificates do cover the
whole user ID. And it does *not* contain an email address only!
Usually there is a name, too! The downside for this automatic
process to work is, of course (but not really), that a user ID is
forced to have a certain format.
Have a look at http://www.cacert.org and http://wiki.cacert.org
for further details.
Do you want to encrypt your mail? Then join CAcert and get your SSL
certificate from https://www.CAcert.org. If you have any questions,
don't hesitate to ask.
OpenPGP: ID 0x44C3983FA7629DE8 - http://www.sks-keyservers.net
Fingerprint: B100 5DC4 9686 BE64 87E9 0E22 44C3 983F A762 9DE8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 455 bytes
Desc: not available
More information about the Gnupg-users