mailto with pgp fingerprint
steve at gpgtools.org
Wed Jul 23 22:02:23 CEST 2014
Wouldn’t it be a nice solution, if key server software had a mechanism for users to verify their UserID by sending a mail to the mail address in question.
Those verified keys then could be prioritized over the not verified keys when a search is done. Could still be faked, but would make faking a lot harder.
I assume this has already been discussed on some key server devel list? But have not followed that discussion, so I’m not aware.
All the best,
Am 22.07.2014 um 16:27 schrieb Werner Koch <wk at gnupg.org>:
> On Tue, 22 Jul 2014 09:40, enigmail at josuttis.de said:
>> More and more we seem to have the problem of faked keys in the key
>> servers. This especially applies to "well known" keys such as
>> authors of magazines and famous tools.
> This is actually the problem of checking the validity of the key.
> Granted, gpg is not smart enough to figure out the best matching key but
> that is something which can be fixed.
> A more simple way of tackling this is to use PKA or DANE for key
> validation: For sending mail you already need DNS and thus it would be
> easy to retrieve the matching key from the DNS. The drawback is that
> this must be configured by the key owner and can't be changed by the
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 831 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Gnupg-users