German ct magazine postulates death of pgp encryption
patrick at enigmail.net
Sun Mar 1 15:41:33 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 27.02.15 20:56, Werner Koch wrote:
> On Fri, 27 Feb 2015 17:26, patrick at enigmail.net said:
>> that anyone can upload _every_ key to a keyserver is an issue. If
>> keyservers would do some sort of verification (e.g. confirmation
>> of the email addresses) then this would lead to much more
>> reliable data.
> We have such a system. It is called S/MIME.
> Ever tried to find an S/MIME (X.509) key (aka certificate) for an
> arbitrary mail address? The only working solution to get such a
> key is by sending a mail and asking for the key. You can do the
> very same with PGP of course. Keyservers along with visting cards
> are much nicer.
> So, why is there no public service to distribute X.509 keys?
> Because nobody want to be legally responsible for such a key
> unless you push a stack of money over the table for a qualified
> signature certificate.
I would not go that far as trying to guarantee the identity of key.
But I think if a keyserver could do some basic verification of keys,
it would make OpenPGP a lot easier to use for email.
The idea I have in mind is roughly as follows: if you upload a key to
a keyserver, the keyserver would send an encrypted email to every UID
in the key. Each encrypted mail contains a unique link to confirm the
email address. Once all email addresses are confirmed, the key is
validated and the keyserver will allow access to it just like with any
This way, we have a simple verification of the access to the private
the key, as well as access to the email addresses contained in the UID
by quite a simple means. I would say this is about as reliable as
sending an email to someone requesting their key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Gnupg-users