mailto with pgp fingerprint

steve steve at
Wed Jul 23 22:02:23 CEST 2014

Wouldn’t it be a nice solution, if key server software had a mechanism for users to verify their UserID by sending a mail to the mail address in question.

Those verified keys then could be prioritized over the not verified keys when a search is done. Could still be faked, but would make faking a lot harder.

I assume this has already been discussed on some key server devel list? But have not followed that discussion, so I’m not aware.

All the best,

Am 22.07.2014 um 16:27 schrieb Werner Koch <wk at>:

> On Tue, 22 Jul 2014 09:40, enigmail at said:
>> More and more we seem to have the problem of faked keys in the key
>> servers. This especially applies to "well known" keys such as
>> authors of magazines and famous tools.
> This is actually the problem of checking the validity of the key.
> Granted, gpg is not smart enough to figure out the best matching key but
> that is something which can be fixed.
> A more simple way of tackling this is to use PKA or DANE for key
> validation: For sending mail you already need DNS and thus it would be
> easy to retrieve the matching key from the DNS.  The drawback is that
> this must be configured by the key owner and can't be changed by the
> sender.
> Shalom-Salam,
>   Werner
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 831 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20140723/7265d484/attachment.sig>

More information about the Gnupg-users mailing list