Proposal of OpenPGP Email Validation

[Kristian Fiskerstrand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 07/30/2015 05:12 PM, Viktor Dick wrote:
> On 2015-07-30 16:39, MFPA wrote:
>> On Thursday 30 July 2015 at 1:43:35 PM, in 
>> <mid:55BA1BF7.4090408 at enigmail.net>, nico at enigmail.net wrote
>>> BTW, as another example, several keys of team at gpgtools.org are
>>> faked (search for these keys and the the interesting result).
>> 
>> Sorry, I don't see a result that leaps out at me as interesting.
>> Are you willing to elaborate?
> 
> I'd say if one searches on a keyserver, it is pretty clear which
> key is real. I'm a bit worried because when I search with Enigmail
> it does not show the signatures, so from there they all seem
> equally valid.

Instinctively this sounds flawed, the point is there is no way without
downloading the key and verifying the validation path through other
existing known good keys. If you rely solely on the number of
signatures that can easily be constructed, either through generating
new keys or due to the keyservers not doing any cryptographic
verification that the signatures themselves are correct.

... and that is intended behavior ...

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Nil satis nisi optimum
Nothing but the best is good enough
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJVukObAAoJECULev7WN52FowoH/RPkEUy5LiIXqqKZaNPvLno1
7KB4vTCSVQwj/RHfCUYCCF5mqZ5mkLA6czdKOCslaZP6YqjrgPhzDxJ65mzZ2enG
Xv8neTWgnjVbotkQ0tauNqlw7mcTSLG8FwxXpuyrAilAKmOEeV1/JN2pHZBp/0u2
2LPfcc2QNMaXwKK5Ri5vpOTieFlmeLEj/lt+HCF3AikilIKv8L7grG+jADTda5kw
VlQ3Sn+NbUUMrRMUjMwtwgN58jtM8uGtflsveouFsQEs9eH5bPbw/nj1ZVtAyjeS
hcs2KyMqHj5JAhKpySkhgvqID7gr3LxOSB1xCkgvAz3LHhQu39OD6iOGFT4fLBc=
=yklt
-----END PGP SIGNATURE-----