Proposal of OpenPGP Email Validation

Ingo Klöcker kloecker at kde.org
Wed Jul 29 15:14:07 CEST 2015


On Wednesday 29 July 2015 14:09:54 Neal H. Walfield wrote:
> At Wed, 29 Jul 2015 02:30:47 +0100,
> 
> MFPA wrote:
> > On Monday 27 July 2015 at 1:15:57 PM, in
> > 
> > <mid:874mkpokxu.wl-neal at walfield.org>, Neal H. Walfield wrote:
> > > Regarding the design: personally, I wouldn't have the
> > > user follow a link that includes a swiss number, but
> > > have the user reply to the mail, include the swiss
> > > number and sign it.
> > 
> > Why not simplify the workflow:-
> > 
> > 1. key reaches validation server.
> > 
> > 2. for each UID containing an email address, validation server creates
> > 
> >    a copy of the key stripped of all other UIDs.
> > 
> > 3. validation server signs that copy of the key.
> > 
> > 4. validation server pastes the signed key into an email, encrypts the
> > 
> >    email to that key, and sends it to the email address in the UID.
> > 
> > 5. user receives each email, decrypts it, and updates their local copy of
> > 
> >    their key.
> > 
> > 6. user uploads key now bearing the validation server's signatures to
> > 
> >    a keyserver.
> > 
> > There is still the same level of assurance that the email address and
> > private key are controlled by the same entity. Advantages are:-
> > 
> > a. Nobody is asked to click links or reply to emails.
> > 
> > b. The validation server does not need to manage a "stack" of keys
> > 
> >    awaiting feedback from the validation emails.
> > 
> > c. Changes to the user's key are uploaded to the keyserver by the
> > 
> >    user, not by the validation server.
> 
> Personally, I think c is the killer in this plan: people aren't going
> to bother to upload it (assuming they even get that far)!

If you replace "validation server" with "keysigning party participant" then 
you get one of the ways participants of keysigning parties get their 
signatures to the key owners. So, it's already done and people do upload their 
signed keys. I don't see why people should behave differently for validation 
servers.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150729/8785182e/attachment.sig>


More information about the Gnupg-users mailing list