Proposal of OpenPGP Email Validation

Neal H. Walfield neal at walfield.org
Wed Jul 29 14:07:21 CEST 2015


At Wed, 29 Jul 2015 01:03:53 +0100,
MFPA wrote:
> On Tuesday 28 July 2015 at 11:46:10 PM, in
> <mid:87vbd3nbnx.wl-neal at walfield.org>, Neal H. Walfield wrote:
> > At Tue, 28 Jul 2015 19:22:29 +0100, MFPA wrote:
> >> It also eliminates any attempt to to establish a link
> >> between the key and the email address in the UID.
> 
> > I'm not so sure.  Recall that we are not attempting to
> > protect against attacks by nation states.  As such,
> > performing a week of computation each year is going to
> > be too much to maintain for those who upload fake keys.
> 
> And too much for people with multiple email addresses.

It doesn't have to be per-email address.  It is sufficient to attach
it to the primary key.

> This still seems less rigorous to me than having to receive an email
> sent to that address and decrypt it with that key. I guess it's a case
> of swings and roundabouts.

Well, I don't like the CA model and that's what Nico is basically
proposing (with less rigorous checks).  Another huge disadvantage is
that user's have to actively participate by replying to emails /
visiting a link.

Using PoW, no human intervention is required and there is no central
authority.  PoW relies on the assumption that conducting an attack is
too expensive to do / maintain.

:) Neal



More information about the Gnupg-users mailing list