Proposal of OpenPGP Email Validation
Neal H. Walfield
neal at walfield.org
Tue Jul 28 01:28:10 CEST 2015
At Mon, 27 Jul 2015 17:51:56 +0200,
Patrick Brunschwig wrote:
>
> On 27.07.15 14:15, Neal H. Walfield wrote:
> > Hi,
> >
> > I guess you mean this:
> >
> > The idea I have in mind is roughly as follows: if you upload a key to
> > a keyserver, the keyserver would send an encrypted email to every UID
> > in the key. Each encrypted mail contains a unique link to confirm the
> > email address. Once all email addresses are confirmed, the key is
> > validated and the keyserver will allow access to it just like with any
> > regular keyserver.
> >
> > This approach is not going to stop a nation state. A nation state can
> > intercept the mail, decrypt it and follow the link.
>
> If the email can be decrypted, then any email can be decrypted, which
> would turn OpenPGP useless.
Sorry. This was definately unclear. What I meant is: a nation state
can create a "fake" key, upload it to the key server and intercept the
mail encrypted to the fake key thereby validating the fake key.
> In any case, the target users are not the Edward Snowdens of this world,
> but the 99% of people who just want to communicate easily with each
> other and don't want to be bothered too much with key complicated key
> lookup/verification scenarios.
This is a worthy goal :).
:) Neal
More information about the Gnupg-users
mailing list