Non email addresses in UID

Steve Jones steve at secretvolcanobase.org
Wed Jan 29 00:37:25 CET 2014


On Tue, 28 Jan 2014 20:13:30 +0100
Leo Gaspard <ekleog at gmail.com> wrote:

> On Fri, Jan 24, 2014 at 11:08:16PM +0000, Steve Jones wrote:
> > [...]
> > 
> > Finally there's the possibility of explicit verification, if someone
> > sends me a challenge and I publish that challenge's signature on my
> > blog then that verifies that I am in control of that private key and
> > can publish to that blog.
> > 
> > [...]
> 
> Wouldn't it be better to publish unencrypted (and unsigned) a challenge received
> encrypted? As signing unknown data should be avoided, as noone knows whether
> this data won't ever have a real meaning one does not intend to mean.

The challenge would not need to be the sole content of the message that
is signed, so long as it is contained in the signed content. A simple
human readable message to the effect that the signature is for response
to a challenge should suffice. A more sophisticated approach would be
for OpenPGP to include a new signature type for this purpose.

-- 
Steve Jones <steve at secretvolcanobase.org>
Key fingerprint: 3550 BFC8 D7BA 4286 0FBC  4272 2AC8 A680 7167 C896
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20140128/847cecbc/attachment.sig>


More information about the Gnupg-users mailing list