email verification as casual checking?
Philip Jackson
philip.jackson at nordnet.fr
Thu Aug 28 13:12:30 CEST 2014
On 28/08/14 00:58, Steve Jones wrote:
> On Sat, 23 Aug 2014 12:56:11 +0200
> Philip Jackson <philip.jackson at nordnet.fr> wrote:
>
>> - the email address belongs to a person who does control the key and
>> he may or may not be the person named in the email address. I am
>> risking my secrets with an unknown person. I had better take care of
>> the nature of those secrets. It looks like this is the case covered
>> by your original post.
>
> Presumably you have an email address of the person for some reason,
> whether or not you want to send secrets to that address depends on
> where you got it. What you want to know is: how do you send those
> secrets securely? If the keyserver has certified the key with a
> challenge response protocol you've got your answer.
>
> Ideally you'd have an email address and a fingerprint, but often you
> don't.
Whether or not I want to send secrets to a person depends on lots of things. I
think at present that I would be unlikely to send any important secret by email.
I cannot imagine my confidence levels on the person's identity or
trustworthiness being enhanced at all by a keyserver process alone. Not even if
the keyserver were linked to a lie detector :-)
The question would always remain "Who is pulling his strings ?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140828/1f9c190b/attachment.sig>
More information about the Gnupg-users
mailing list