Proposal of OpenPGP Email Validation
Ingo Klöcker
kloecker at kde.org
Mon Jul 27 16:31:15 CEST 2015
On Monday 27 July 2015 07:55:03 nico at enigmail.net wrote:
> Hi all,
>
> in March we discussed here
> "German ct magazine postulates death of pgp encryption"
> and Patrick Brunschwig proposed a way to validate email addresses
>
> I also had in mind:
> > http://lists.gnupg.org/pipermail/gnupg-users/2015-March/052882.html
>
> In the past months I tried to come up with a concrete proposal.
> I discussed it already with some people and
> this is what I/we propose so far.
> The proposal is not perfect and not completely worked out
> but IMO it is ready for a broader discussion and review.
This whole concept of a whitelist of "trusted validation servers" included in
the email clients sounds a lot like the CA certificate bundles included in
browsers and/or OSes. Who is going to maintain this whitelist? The email
client developers? The OS manufactures? Who is going to certify "trusted
validation servers", i.e. who is going to tell benign validation servers apart
from malignant validation servers?
Your proposal seems to repeat a lot of the (failed) concepts of the
centralized CA approach. For this reason I think the approach is doomed to
fail the same way the centralized CA approach has failed (even if everybody
seems to ignore its failure).
I'd rather put my bets on a DANE-based approach like
https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150727/5a12d106/attachment.sig>
More information about the Gnupg-users
mailing list