email verification as casual checking?

Mathias Bauer mbauer at
Sat Aug 23 17:06:42 CEST 2014


* Nicolai Josuttis wrote on Fri, 22 Aug 2014, at 18:13 (+0200):

> to deal with faked keys, some guys had the idea to use email
> verification and let then certification servers take that as
> "casual signing".  [...]  What do you think about this idea?
> Was it ever discussed?

this has already been implemented and improved by CAcert:

Fundamentally, CAcert is known for (a) issuing X.509 certificates
to its members and for (b) building and operating a large Web of
Trust.  I think, (b) is more important.  Also, CAcert offers the
possibility to certify the user IDs of its members' OpenPGP keys.
This basically works as follows:

- First, you have to create a CAcert account.  This requires an
  email address which is verified to be under your control.

- Then you try to get your identity assured.  You meet
  face-to-face with at least two assurers and present them at
  least one (two are preferred) photo IDs issued by a
  government.  Depending on the assurers' experience you receive
  so called assurance points.

- If you have collected 50+ assurance points, you could get your
  OpenPGP key's user ID(s) certified automatically.  This
  certification expires after one year and is a generic one
  (0x10) instead of a casual one (0x12) (RFC 4880).  See my key
  for details.

- Of course, you can add additional verified(!) email addresses
  and also get them certified.

I think, this process is far better than any mere email address
validation service because OpenPGP certificates do cover the
whole user ID.  And it does *not* contain an email address only!
Usually there is a name, too!  The downside for this automatic
process to work is, of course (but not really), that a user ID is
forced to have a certain format.

Have a look at and
for further details.


CAcert Assurer

Do you want to encrypt your mail?  Then join CAcert and get your SSL
certificate from  If you have any questions,
don't hesitate to ask.

OpenPGP:  ID 0x44C3983FA7629DE8 -
Fingerprint: B100 5DC4 9686 BE64 87E9  0E22 44C3 983F A762 9DE8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: </pipermail/attachments/20140823/5250e104/attachment-0001.sig>

More information about the Gnupg-users mailing list