Proposal of OpenPGP Email Validation
Neal H. Walfield
neal at walfield.org
Wed Jul 29 14:07:21 CEST 2015
At Wed, 29 Jul 2015 01:03:53 +0100,
> On Tuesday 28 July 2015 at 11:46:10 PM, in
> <mid:87vbd3nbnx.wl-neal at walfield.org>, Neal H. Walfield wrote:
> > At Tue, 28 Jul 2015 19:22:29 +0100, MFPA wrote:
> >> It also eliminates any attempt to to establish a link
> >> between the key and the email address in the UID.
> > I'm not so sure. Recall that we are not attempting to
> > protect against attacks by nation states. As such,
> > performing a week of computation each year is going to
> > be too much to maintain for those who upload fake keys.
> And too much for people with multiple email addresses.
It doesn't have to be per-email address. It is sufficient to attach
it to the primary key.
> This still seems less rigorous to me than having to receive an email
> sent to that address and decrypt it with that key. I guess it's a case
> of swings and roundabouts.
Well, I don't like the CA model and that's what Nico is basically
proposing (with less rigorous checks). Another huge disadvantage is
that user's have to actively participate by replying to emails /
visiting a link.
Using PoW, no human intervention is required and there is no central
authority. PoW relies on the assumption that conducting an attack is
too expensive to do / maintain.
More information about the Gnupg-users