Proposal of OpenPGP Email Validation

Ingo Klöcker kloecker at kde.org
Wed Jul 29 12:05:13 CEST 2015


On Wednesday 29 July 2015 07:42:34 nico at enigmail.net wrote:
> Am 29.07.2015 um 03:30 schrieb MFPA:
> > Why not simplify the workflow:-
> > 
> > 1. key reaches validation server.
> > 
> > 2. for each UID containing an email address, validation server creates
> >    a copy of the key stripped of all other UIDs.
> > 
> > 3. validation server signs that copy of the key.
> > 
> > 4. validation server pastes the signed key into an email, encrypts the
> >    email to that key, and sends it to the email address in the UID.
> > 
> > 5. user receives each email, decrypts it, and updates their local copy of
> >    their key.
> > 
> > 6. user uploads key now bearing the validation server's signatures to
> >    a keyserver.
> >
> > There is still the same level of assurance that the email address and
> > private key are controlled by the same entity. Advantages are:-
> > c. Changes to the user's key are uploaded to the keyserver by the
> >    user, not by the validation server.
> 
> Is this a real benefit?

A possible benefit would be that the user can choose not to upload the 
validation signatures to the keyservers. With a minor change in step 1 (the 
key owner uploads his key to the validation server without uploading it to a 
keyserver) the UID validation would even work for keys which its owner does 
not want to upload to a public keyserver.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150729/b4b3d655/attachment.sig>


More information about the Gnupg-users mailing list