Making the case for smart cards for the average user
2014-667rhzu3dc-lists-groups at riseup.net
Tue Mar 17 01:55:51 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
On Saturday 14 March 2015 at 10:37:18 PM, in
<mid:CAAocvpvEqs-tQ-rEki8AX3spdSt8P5TG0+KoXVtufW0Azy9wDQ at mail.gmail.com>,
Joey Castillo wrote:
> The goal is to simplify
> not just everyday things like how to make a key or
> encrypt an email, but also more complex things like
> "what is my identity and how do I verify it?" 
Although I don't really like email addresses in the UIDs of my keys, I
quite like the simplicity of your "email address only" simplified UID
format. However, I would urge you to reconsider your decision to drop
the angle brackets. At least one MUA (the MUA I am using to write this
message) sends the email address enclosed in angle brackets as the
search string for GnuPG to locate the key. No angle brackets around
the email address means no key found.
Your proposed "automated email verification service" will beat the PGP
Global Directory's verification check by encrypting the verification
message to confirm that the user is in control of the key as well as
the email address. But it retains the problem of relatively frequent
verification signatures accumulating; I don't know a solution to that.
If a user has multiple email addresses, does the "automated email
verification service" send a different encrypted verification link to
each address, and then only sign the UIDs that the user verified? And
is there the option to reply to email rather than click a link?
Finally, if the person at the other end is able to decrypt my message
and reply to me, then the key and the email address are controlled by
the same person. What assurance does the verification service add?
MFPA <mailto:2014-667rhzu3dc-lists-groups at riseup.net>
Can you imagine a world with no hypothetical situations?
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users