Email-only UIDs and verification (was: Making the case for smart cards for the average user)

Jose Castillo jose.castillo at gmail.com
Wed Mar 18 19:18:57 CET 2015 

On Mar 16, 2015, at 8:55 PM, MFPA <2014-667rhzu3dc-lists-groups at riseup.net> wrote:
> I would urge you to
> reconsider your decision to drop the angle brackets. At
> least one MUA (the MUA I am using to write this message)
> sends the email address enclosed in angle brackets as the
> search string for GnuPG to locate the key. No angle
> brackets around the email address means no key found.

Good point, I’ll make that change. As a sidenote, I notice that when I’m generating a key interactively, I get an error message of 'Name must be at least 5 characters long’ when I try to make an email-only UID. It works in batch mode, and obviously with the allow-freeform-uid option, but just thought it was interesting to point out. Someone attempting to make such a UID in the interactive mode might be forgiven for putting their email address in the ‘name’ field as a workaround. 

> Thinking about it, you don't need the user to click a link or to
> reply to an email at all. If you sign the UID and enclose the
> signed copy of the key in an encrypted email to the address
> in the UID, they don’t get access to the certification unless
> they control both the email address and the key.

This is a very good point, and I can see making this change. 

> But it retains the problem of relatively frequent
> verification signatures accumulating; I don't know
> a solution to that.

This was in reference to the PGP global directory’s verification check. Having never used it I’m curious why the validity period is only two weeks. Does the user have to re-verify their email address every two weeks? That seems excessive. Moving to an annual validity period (or through the expiration of the domain name if it’s expiring sooner) allows for disused keys to expire, while still giving you the option to revoke a UID or key sooner if necessary. 

> Finally, if the person at the other end is able to
> decrypt my message and reply to me, then the
> key and the email address are controlled by
> the same person. What assurance does the
> verification service add?

In the case of establishing communication with someone you haven’t yet met, it gives you an assurance that a third party has verified that they were in control of the address on a given date within the last year. If I query your email address and find four keys, I don’t know what to do; but if one of them is trusted by the email verification service, which I trust, then there’s only one valid key. 

-- 

Joey Castillo
www.joeycastillo.com

More information about the Gnupg-users mailing list