email verification as casual checking?

Mathias Bauer mbauer at mailbox.org
Sat Aug 23 17:06:42 CEST 2014


Hi,

* Nicolai Josuttis wrote on Fri, 22 Aug 2014, at 18:13 (+0200):

> to deal with faked keys, some guys had the idea to use email
> verification and let then certification servers take that as
> "casual signing".  [...]  What do you think about this idea?
> Was it ever discussed?

this has already been implemented and improved by CAcert:

Fundamentally, CAcert is known for (a) issuing X.509 certificates
to its members and for (b) building and operating a large Web of
Trust.  I think, (b) is more important.  Also, CAcert offers the
possibility to certify the user IDs of its members' OpenPGP keys.
This basically works as follows:

- First, you have to create a CAcert account.  This requires an
  email address which is verified to be under your control.

- Then you try to get your identity assured.  You meet
  face-to-face with at least two assurers and present them at
  least one (two are preferred) photo IDs issued by a
  government.  Depending on the assurers' experience you receive
  so called assurance points.

- If you have collected 50+ assurance points, you could get your
  OpenPGP key's user ID(s) certified automatically.  This
  certification expires after one year and is a generic one
  (0x10) instead of a casual one (0x12) (RFC 4880).  See my key
  for details.

- Of course, you can add additional verified(!) email addresses
  and also get them certified.

I think, this process is far better than any mere email address
validation service because OpenPGP certificates do cover the
whole user ID.  And it does *not* contain an email address only!
Usually there is a name, too!  The downside for this automatic
process to work is, of course (but not really), that a user ID is
forced to have a certain format.

Have a look at http://www.cacert.org and http://wiki.cacert.org
for further details.

Regards,
Mathias

-- 
CAcert Assurer

Do you want to encrypt your mail?  Then join CAcert and get your SSL
certificate from https://www.CAcert.org.  If you have any questions,
don't hesitate to ask.

OpenPGP:  ID 0x44C3983FA7629DE8 - http://www.sks-keyservers.net
Fingerprint: B100 5DC4 9686 BE64 87E9  0E22 44C3 983F A762 9DE8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: </pipermail/attachments/20140823/5250e104/attachment-0001.sig>


More information about the Gnupg-users mailing list