email verification as casual checking?

Philip Jackson philip.jackson at nordnet.fr
Thu Aug 28 13:12:30 CEST 2014


On 28/08/14 00:58, Steve Jones wrote:
> On Sat, 23 Aug 2014 12:56:11 +0200
> Philip Jackson <philip.jackson at nordnet.fr> wrote:
> 
>> - the email address belongs to a person who does control the key and
>> he may or may not be the person named in the email address.  I am
>> risking my secrets with an unknown person.  I had better take care of
>> the nature of those secrets.  It looks like this is the case covered
>> by your original post.
> 
> Presumably you have an email address of the person for some reason,
> whether or not you want to send secrets to that address depends on
> where you got it. What you want to know is: how do you send those
> secrets securely? If the keyserver has certified the key with a
> challenge response protocol you've got your answer.
> 
> Ideally you'd have an email address and a fingerprint, but often you
> don't.

Whether or not I want to send secrets to a person depends on lots of things.  I
think at present that I would be unlikely to send any important secret by email.
 I cannot imagine my confidence levels on the person's identity or
trustworthiness being enhanced at all by a keyserver process alone.  Not even if
the keyserver were linked to a lie detector :-)

The question would always remain "Who is pulling his strings ?"



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140828/1f9c190b/attachment.sig>


More information about the Gnupg-users mailing list