Proposal of OpenPGP Email Validation

Viktor Dick viktordick86 at gmail.com
Fri Jul 31 07:43:29 CEST 2015 

On 31.07.2015 01:11, MFPA wrote:
> Only if you download the key from the GPGTools website and find the
> key-id first. (If the GPGTools team shows their key ID or Fingerprint
 on their website, I failed to find it.)
On the front page they have 'to verify the signature, please download
and import our <updated key>' right below the download button. There is
no fingerprint, but the whole key is there.
But I was talking about the fact that of the six results, one has
hundreds of signatures. Sure, in the web of trust concept this doesn't
mean anything unless there is a (short) trust chain from me to one of
these, but in practice this still significantly rises the chance that it
is the correct key (and it is, I checked with the one on their homepage).

> My output from searching a keyserver for "gpgtools.org":-
'gpg --search-keys' does not seem to give a list of signatures (which
explains why enigmail also doesn't), I was searching using a web
interface. I guess this is because it is assumed that signatures do not
mean anything without a trust chain. But if I had to bet money on one of
the keys, I would still take the one with hundreds of signatures.

> However, what would be different if one of the keys found happened to
> carry one of your proposed email address validation signatures?
If I could quickly check (or rather, my client could do that
automatically) that the signature is also found on their web page, I can
assume that either the web page is fake (which is unlikely for something
known like ccc.de), it has been hacked (unlikely for a random troll) or
someone intercepted either my HTTP request or the original verification
e-mail (possible with a secret service, unlikely with a troll).
Therefore, it will raise my estimated probability that the owner of the
key also has access to the mailbox, which will pretty surely now be much
higher than for any fake key.
The advantage with respect to the proof of work concept is that the
procedure is asymmetric: it costs much more to troll than to verify a
genuine key.

Best regards,
Viktor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150731/dfa9f570/attachment.sig>

More information about the Gnupg-users mailing list