Proposal of OpenPGP Email Validation

Ingo Klöcker kloecker at kde.org
Wed Jul 29 12:38:46 CEST 2015


On Wednesday 29 July 2015 01:48:54 MFPA wrote:
> On Tuesday 28 July 2015 at 8:17:28 PM, in
> <mid:55B7D548.4020104 at enigmail.net>, nico at enigmail.net wrote:
> > AFAIK, there are not THAT many faked keys, but the
> > problem exists especially for key parties of our
> > internet world (a famous German magazine, at least one
> > GPG tool, ...). The problem is that the German magazine
> > takes this as a show stopper (both personally and
> > publicly). I really want to have them back on our road
> > for more encryption with OpenPGP. And the "publicity"
> > we get from not validating email addresses is really a
> > big problem (especially as fixing that problems sounds
> > so easy and obvious). Thus, without fixing this, IMO
> > the whole OpenPGP movement has a reputation problem.
> 
> I understand what you are saying. I cannot help but think they are
> making a mountain out of a molehill by characterising this minor
> irritation as a "show stopper".

Yes, he (not they!), the author of the article is doing exactly this.


> Putting something in place to
> counteract the issue is one approach. Would it not be an equally-valid
> approach to educate them as to why it is a non-issue, which they could
> then disseminate through their magazine?

I think that the author of the article knows that it's mostly a non-issue. He 
still decided to write the article "Forged PGP Keys in the Wild" [1] and even 
an accompanying editorial titled "Let PGP Die!" [2]. I guess he simply got 
pissed because he received so many messages that were undecryptable with his 
real key.

Luckily, there are also more sensible authors working for this magazine who 
write good articles about OpenPGP.

I personally chose to ignore the stupid editorial. IMHO it does not deserve 
more attention than any other rant written by a random troll. OTOH, the 
article actually isn't that bad. It points out the issue with the missing 
validation of email addresses in UIDs making a bit of a fuss about it, but 
IIRC it also explains how to avoid falling into the trap of using a fake key.


Regards,
Ingo


[1] http://www.heise.de/artikel-archiv/ct/2015/06/160_Die-Schluessel-Falle 
(German; needs to be bought)
[2] https://www.heise.de/artikel-archiv/ct/2015/06/3_Editorial (German; free)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150729/b5ae0265/attachment.sig>


More information about the Gnupg-users mailing list