Email-only UIDs and verification (was: Making the case for smart cards for the average user)

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Fri Mar 20 01:58:25 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Wednesday 18 March 2015 at 6:18:57 PM, in
<mid:16C07A2D-8B6D-48E5-9BC3-B6AE5D0935D9 at gmail.com>, Jose Castillo
wrote:


> On Mar 16, 2015, at 8:55 PM, MFPA
> <2014-667rhzu3dc-lists-groups at riseup.net> wrote:

MFPA>> No angle brackets around the email address means no key found.

JC> Good point, I’ll make that change.

Appreciated.

As you probably read in Daniel Kahn Gilmore's message, he has lodged a
bug report/feature request for GnuPG.


JC> As a sidenote, I
> notice that when I’m generating a key interactively, I
> get an error message of 'Name must be at least 5
> characters long’ when I try to make an email-only UID.
> It works in batch mode, and obviously with the
> allow-freeform-uid option, but just thought it was
> interesting to point out. Someone attempting to make
> such a UID in the interactive mode might be forgiven
> for putting their email address in the ‘name’ field as
> a workaround.

They would be scolded at the next prompt, then probably either give
up, or go back and enter a name, or enter their email address a second
time.

I would imagine the "average user" you are aiming at would use your
GUI to create keys. A more advanced user might read your
documentation, so you could tell them which options to use if they
wanted to create a key matching your bespoke user-id standard through
the normal GnuPG text interface.




MFPA>> Thinking about it, you don't need the user to click a
>> link or to reply to an email at all.

> This is a very good point, and I can see making this
> change.

I would think it would make it easier to code: you don't have to
bother tracking the verication link/email.



> This was in reference to the PGP global directory’s
> verification check. Having never used it I’m curious
> why the validity period is only two weeks.

Lots of activation or verification links sent out by email have a
short validity period. People are used to that.

PGP Global Directory's FAQ
<https://keyserver.pgp.com/vkd/VKDHelpPGPCom.html> says:-

    What if I don't respond to the renewal message?

    The PGP Global Directory will give you two weeks to respond. If
    you don't respond, your key will be removed from the directory, as
    it is assumed you no longer have the key or are no longer using
    the email address in the user ID of the key.




> Does the
> user have to re-verify their email address every two
> weeks? That seems excessive.

It would be.(-;

The user has two weeks to react to the verification email. Once the
user has verified the email address, the verification is good for six
months. Then they get a renewal verification email, and so on.

I have no idea why the PGP GD verification signatures last only two
weeks instead of six months. Their FAQ is silent on the matter.



MFPA>> Finally, if the person at the other end is able to
>> decrypt my message and reply to me, then the key and
>> the email address are controlled by the same person.
>> What assurance does the verification service add?

> In the case of establishing communication with someone
> you haven’t yet met, it gives you an assurance that a
> third party has verified that they were in control of
> the address on a given date within the last year.

The person at the other end decrypting my message and replying to me
shows that the key and the corresponding email address are both
controlled by the same person today (Person A), verified by me.

Additional information: the verification service verified that the key
and the email address were both controlled by the same person (Person
B)on a given verification date within the last year.

I am opening communication with the Person A at that address today. I
neither know nor care if Person B, who was there within the last year,
is the same person as person A. So I cannot think of a use for the
additional information. (I'm not saying there is no use, merely that I
can't see one.)



> If I
> query your email address and find four keys, I don’t
> know what to do;

Good question.

1. You could ask me, in an email encrypted to all four keys.

2. You could ask me, in up to four individually-encrypted emails. May
not need all four if I answer before you sent them all.

3. Out-of-bound communication, such as phone.

4. Look for clues in my email signature block or headers.



> but if one of them is trusted by the
> email verification service, which I trust, then there’s
> only one valid key.

The email verification service's signature, which warrants that the
key and email address were under common control on a specific date in
the past year. That is a reasonable first guess out of the four keys,
and makes that one key "valid" in accordance with your bespoke Signet
simplified validity scheme.




- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Don't anthropomorphize computers - they hate it
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJVC3C0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw4hQH/i0uBpUEplgMThUDvV004+QE
NrDDpLDZ8PU0aMxWGvLz7wR4s7ts+hNYXz05ORPtoqKLUvHjYs8lqurCGQLQhwWQ
FjLQSuWOdiWDgfXgEXt8DPxFa8lR52sk1shVa7jZWdLW1BGwjE5K0mugdjr8OOqa
klUTEYz+vomObD4iXFfCnLi9lY5ILuYjzWBwMJQAOeEeivuE1n50DdrUOW4h0AyC
hRANXyhpD7zV5OfpWp4OHlGKSVoDEWB4c/cQ83xzNfDZZ3wMQG4F8d0JF4PYvu+B
o7L7A2LdMJfMFSZPmFSg55DTk08jM47w8hFgXrHfrHW5QihyhvI4pyFHIhvxSpmI
vgQBFgoAZgUCVQtwwF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45BgNAQDarKi3qVrSFBHlgIWnNzYwJZrO
2UxcBYOYMovsJeOdLQEA74Z6hhgRgOkUrxBPU29RLZJsVoaanPiLKUfgMDFJrwg=
=+DyS
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list