Proposal of OpenPGP Email Validation
Ingo Klöcker
kloecker at kde.org
Wed Jul 29 12:05:13 CEST 2015
On Wednesday 29 July 2015 07:42:34 nico at enigmail.net wrote:
> Am 29.07.2015 um 03:30 schrieb MFPA:
> > Why not simplify the workflow:-
> >
> > 1. key reaches validation server.
> >
> > 2. for each UID containing an email address, validation server creates
> > a copy of the key stripped of all other UIDs.
> >
> > 3. validation server signs that copy of the key.
> >
> > 4. validation server pastes the signed key into an email, encrypts the
> > email to that key, and sends it to the email address in the UID.
> >
> > 5. user receives each email, decrypts it, and updates their local copy of
> > their key.
> >
> > 6. user uploads key now bearing the validation server's signatures to
> > a keyserver.
> >
> > There is still the same level of assurance that the email address and
> > private key are controlled by the same entity. Advantages are:-
> > c. Changes to the user's key are uploaded to the keyserver by the
> > user, not by the validation server.
>
> Is this a real benefit?
A possible benefit would be that the user can choose not to upload the
validation signatures to the keyservers. With a minor change in step 1 (the
key owner uploads his key to the validation server without uploading it to a
keyserver) the UID validation would even work for keys which its owner does
not want to upload to a public keyserver.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150729/b4b3d655/attachment.sig>
More information about the Gnupg-users
mailing list