Non email addresses in UID

Steve Jones steve at secretvolcanobase.org
Sat Jan 25 00:08:16 CET 2014 

On Fri, 24 Jan 2014 17:16:28 -0500
Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:

> what do you mean "complete connection security via OpenPGP"?  OpenPGP
> is not a stream-based communications protocol, it's a specification
> of a message format and a certificate format.   Inventing a new
> stream-based communications protocol from scratch and shoehorning it
> into OpenPGP doesn't sound like a great idea to me.

OpenPGP is a packetised data format. There's nothing stopping it being
used to send a stream of encrypted and signed data packets. The main
thing you lose is the complicated and messy handshake at the start
which seems to be the cause of so many implementation bugs. You do
loose the possibility of perfect forward secrecy though.

It was more an idle musing than anything else though.

> how are other people going to verify these propose User IDs?
> 
> If you make a data element a subkey or a notation in your
> self-signature, you are not asking other people to attempt to certify
> it.
> 
> If you make the same data element a User ID or User Attribute, then
> you are effectively putting it out there for other people to attempt
> to verify and then certify.
> 
> If you came to me and said "I am the person who blogs at
> https://www.example.com/stevejones" , how am i supposed to verify
> that? when would you want me to certify it?

Well the simplest way would be if I signed my blog posts. It's easy
enough to verify that my emails and posts are signed with the same key.
Cryptographically easy that is, the existing tools are not so good for
this kind of method of operation.

Otherwise by usual web of trust means. If people who know me by other
means are convinced that that blog is mine they can sign that UID, in
the same manner as people could sign a photo attribute if they know
what I look like.

Finally there's the possibility of explicit verification, if someone
sends me a challenge and I publish that challenge's signature on my
blog then that verifies that I am in control of that private key and
can publish to that blog.

Which reminds me that I'd really like an email client that
automatically signs keys at level 1 (persona) of anyone who replies
with a signed email that quotes a significant portion of the text I
sent, as this effectively counts as a challenge response protocol in my
book.

-- 
Steve Jones <steve at secretvolcanobase.org>
Key fingerprint: 3550 BFC8 D7BA 4286 0FBC  4272 2AC8 A680 7167 C896
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20140124/3490780b/attachment-0001.sig>

More information about the Gnupg-users mailing list