Proposal of OpenPGP Email Validation

nico at nico at
Wed Jul 29 13:07:20 CEST 2015


first i talked to him/them a couple of times personally
(there are multiple editors at that magazine)
about the issue in detail and tried to convince them following
the WoT without success.

Note that they just behave as ordinary users,
having not much time to deal with the problems of OpenPGP.
They get hundreds of emails per day and each email they
can't read is a significant problem because
the 2 seconds they have for reading emails turn out to
become minutes.
There should simply be no overhead in using OpenPGP
in the ordinary case for the ordinary user.

And I agree with that.
Usability is key for a broad acceptance.

I don't want to have the same problem.
And other tools also don't want to have it anymore
(e.g. the guys have the same problem).

I see no reason NOT to solve this problem,
but I see many reasons to solve it.

Just saying "deal with it" simply means that
we place unneccesary burden on OpenPGP users.
IMO, that's a really bad approach.

Am 29.07.2015 um 12:38 schrieb Ingo Klöcker:
> On Wednesday 29 July 2015 01:48:54 MFPA wrote:
>> On Tuesday 28 July 2015 at 8:17:28 PM, in
>> <mid:55B7D548.4020104 at>, nico at wrote:
>>> AFAIK, there are not THAT many faked keys, but the
>>> problem exists especially for key parties of our
>>> internet world (a famous German magazine, at least one
>>> GPG tool, ...). The problem is that the German magazine
>>> takes this as a show stopper (both personally and
>>> publicly). I really want to have them back on our road
>>> for more encryption with OpenPGP. And the "publicity"
>>> we get from not validating email addresses is really a
>>> big problem (especially as fixing that problems sounds
>>> so easy and obvious). Thus, without fixing this, IMO
>>> the whole OpenPGP movement has a reputation problem.
>> I understand what you are saying. I cannot help but think they are
>> making a mountain out of a molehill by characterising this minor
>> irritation as a "show stopper".
> Yes, he (not they!), the author of the article is doing exactly this.
>> Putting something in place to
>> counteract the issue is one approach. Would it not be an equally-valid
>> approach to educate them as to why it is a non-issue, which they could
>> then disseminate through their magazine?
> I think that the author of the article knows that it's mostly a non-issue. He 
> still decided to write the article "Forged PGP Keys in the Wild" [1] and even 
> an accompanying editorial titled "Let PGP Die!" [2]. I guess he simply got 
> pissed because he received so many messages that were undecryptable with his 
> real key.
> Luckily, there are also more sensible authors working for this magazine who 
> write good articles about OpenPGP.
> I personally chose to ignore the stupid editorial. IMHO it does not deserve 
> more attention than any other rant written by a random troll. OTOH, the 
> article actually isn't that bad. It points out the issue with the missing 
> validation of email addresses in UIDs making a bit of a fuss about it, but 
> IIRC it also explains how to avoid falling into the trap of using a fake key.
> Regards,
> Ingo
> [1] 
> (German; needs to be bought)
> [2] (German; free)
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

Nicolai M. Josuttis
mailto:nico at
PGP fingerprint: CFEA 3B9F 9D8E B52D BD3F 7AF6 1C16 A70A F92D 28F5

More information about the Gnupg-users mailing list