German ct magazine postulates death of pgp encryption

Kristian Fiskerstrand kristian.fiskerstrand at
Sun Mar 1 17:36:57 CET 2015

Hash: SHA512

On 03/01/2015 05:31 PM, Marco Zehe wrote:
> Hi Patrick,
>> Am 01.03.2015 um 15:41 schrieb Patrick Brunschwig 
>> <patrick at>:
>> The idea I have in mind is roughly as follows: if you upload a
>> key to a keyserver, the keyserver would send an encrypted email
>> to every UID in the key. Each encrypted mail contains a unique
>> link to confirm the email address. Once all email addresses are
>> confirmed, the key is validated and the keyserver will allow
>> access to it just like with any regular keyserver.
> I like this idea very, very much! This is a confirmation that
> doesn’t hurt anybody, and it is something that insures on a basic
> level, that the key isn’t completely bogus.
> I have seen part of this in a different context in Mozilla’s 
> Bugzilla, when one uploads one’s public key into the Bugzilla
> account to be able to receive security-sensitive messages. After
> submitting the form, Bugzilla sends an encrypted message to the
> account’s e-mail address, assuming the public key just uploaded
> belongs to that address. It doesn’t go as far as requiring
> verification via a link, but it definitely confirms if the key is
> working for the user.

Seriously? Please look at regarding that
implementation, which opens up another can of worms (encrypts to {S,C}
key, not encryption key, dual usage of same key material for different
purposes... BAD)

- -- 
- ----------------------------
Kristian Fiskerstrand
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"I have always wished that my computer would be as easy to use as my
My wish has come true -- I no longer know how to use my telephone"
(Bjarne Stroustrup, April 1999)


More information about the Gnupg-users mailing list