Proposal of OpenPGP Email Validation

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Wed Jul 29 02:48:54 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Tuesday 28 July 2015 at 8:17:28 PM, in
<mid:55B7D548.4020104 at enigmail.net>, nico at enigmail.net wrote:


> AFAIK, there are not THAT many faked keys, but the
> problem exists especially for key parties of our
> internet world (a famous German magazine, at least one
> GPG tool, ...). The problem is that the German magazine
> takes this as a show stopper (both personally and
> publicly). I really want to have them back on our road
> for more encryption with OpenPGP. And the "publicity"
> we get from not validating email addresses is really a
> big problem (especially as fixing that problems sounds
> so easy and obvious). Thus, without fixing this, IMO
> the whole OpenPGP movement has a reputation problem.

I understand what you are saying. I cannot help but think they are
making a mountain out of a molehill by characterising this minor
irritation as a "show stopper". Putting something in place to
counteract the issue is one approach. Would it not be an equally-valid
approach to educate them as to why it is a non-issue, which they could
then disseminate through their magazine?



> Today, people with faked keys simply get unreadable
> emails, but don't know whether there were trolls or
> spies at work.

They can, however, search on keyservers for the key to which the
message was encrypted. Or ask the sender where they got it and to
forward a copy for inspection.



> After validating their own key, only one
> of two things can happen:
[snipped]
>  either the
> problem is solved or we know that the problem is more
> severe than just a work of trolls only uploading a
> faked key for fun.

Fair enough.



> But if G claims that an email address was validated
> although it was not, they express this as a public
> signature visible to the whole world. If they do that,
> people can/will find out and blame G. But that's
> something G clearly wants to avoid (they need trust by
> their customers). Thus, they have much more interest
> not to signal validation of a faked key because any
> violation here is easy to detect.

The provider could claim the user's password must have been
compromised and that was how the validation occurred without the
user's knowledge. They could even make the user jump through password
reset and security question hoops the next time they log in. Anyway,
after ten minutes public attention will switch to something else.



- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Adults are obsolete children.
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJVuCMBXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwxpYH/jjZIF0ue4m1F8WJSdNt3fcG
WGrdQT5rpOG8hUUcCPA36NTeKA9zWrREgFgZX2lRIPOwCTzaHzlw3SRNc42yOS2/
ayviJbN714zrl0tT6zhYlb3T4lQo0mX8S8G4EkzUECt9DPYZOsv6YPxv+WcNMDGa
YwAsEvXQHD4uXe2bmvO2zIjNsehYBnISPKv4dr9XHMjxOVUTSPmmBsRkYnrVP6mN
MEXf9VQJUtybnrWUlhE3WqAX1zBdTMwfm1PlpWNUTMPTtluoW7qabEI5kGMuPRsj
AygSJvUqUzs5wlg2jVhvUfAK4eeNBnua+U0duvIsfP4xeeYWN1r1uzjC7m+y6xyI
vgQBFgoAZgUCVbgjB18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45J18AQCVilysc7qVQt09cSq0/nxPAq+j
Y4OGfgsiB1itI5jVFgEA95f3usAyVwOh3xKv4KJpXZqBjHxKD/B18U+TDmTitwU=
=dOC/
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list