Proposal of OpenPGP Email Validation

Neal H. Walfield neal at walfield.org
Tue Jul 28 01:28:10 CEST 2015


At Mon, 27 Jul 2015 17:51:56 +0200,
Patrick Brunschwig wrote:
> 
> On 27.07.15 14:15, Neal H. Walfield wrote:
> > Hi,
> > 
> > I guess you mean this:
> > 
> >   The idea I have in mind is roughly as follows: if you upload a key to
> >   a keyserver, the keyserver would send an encrypted email to every UID
> >   in the key. Each encrypted mail contains a unique link to confirm the
> >   email address. Once all email addresses are confirmed, the key is
> >   validated and the keyserver will allow access to it just like with any
> >   regular keyserver.
> > 
> > This approach is not going to stop a nation state.  A nation state can
> > intercept the mail, decrypt it and follow the link.
> 
> If the email can be decrypted, then any email can be decrypted, which
> would turn OpenPGP useless.

Sorry.  This was definately unclear.  What I meant is: a nation state
can create a "fake" key, upload it to the key server and intercept the
mail encrypted to the fake key thereby validating the fake key.

> In any case, the target users are not the Edward Snowdens of this world,
> but the 99% of people who just want to communicate easily with each
> other and don't want to be bothered too much with key complicated key
> lookup/verification scenarios.

This is a worthy goal :).

:) Neal



More information about the Gnupg-users mailing list