Email-only UIDs and verification (was: Making the case for smart cards for the average user)

MFPA 2014-667rhzu3dc-lists-groups at
Fri Mar 20 01:58:25 CET 2015

Hash: SHA512

On Wednesday 18 March 2015 at 6:18:57 PM, in
<mid:16C07A2D-8B6D-48E5-9BC3-B6AE5D0935D9 at>, Jose Castillo

> On Mar 16, 2015, at 8:55 PM, MFPA
> <2014-667rhzu3dc-lists-groups at> wrote:

MFPA>> No angle brackets around the email address means no key found.

JC> Good point, I’ll make that change.


As you probably read in Daniel Kahn Gilmore's message, he has lodged a
bug report/feature request for GnuPG.

JC> As a sidenote, I
> notice that when I’m generating a key interactively, I
> get an error message of 'Name must be at least 5
> characters long’ when I try to make an email-only UID.
> It works in batch mode, and obviously with the
> allow-freeform-uid option, but just thought it was
> interesting to point out. Someone attempting to make
> such a UID in the interactive mode might be forgiven
> for putting their email address in the ‘name’ field as
> a workaround.

They would be scolded at the next prompt, then probably either give
up, or go back and enter a name, or enter their email address a second

I would imagine the "average user" you are aiming at would use your
GUI to create keys. A more advanced user might read your
documentation, so you could tell them which options to use if they
wanted to create a key matching your bespoke user-id standard through
the normal GnuPG text interface.

MFPA>> Thinking about it, you don't need the user to click a
>> link or to reply to an email at all.

> This is a very good point, and I can see making this
> change.

I would think it would make it easier to code: you don't have to
bother tracking the verication link/email.

> This was in reference to the PGP global directory’s
> verification check. Having never used it I’m curious
> why the validity period is only two weeks.

Lots of activation or verification links sent out by email have a
short validity period. People are used to that.

PGP Global Directory's FAQ
<> says:-

    What if I don't respond to the renewal message?

    The PGP Global Directory will give you two weeks to respond. If
    you don't respond, your key will be removed from the directory, as
    it is assumed you no longer have the key or are no longer using
    the email address in the user ID of the key.

> Does the
> user have to re-verify their email address every two
> weeks? That seems excessive.

It would be.(-;

The user has two weeks to react to the verification email. Once the
user has verified the email address, the verification is good for six
months. Then they get a renewal verification email, and so on.

I have no idea why the PGP GD verification signatures last only two
weeks instead of six months. Their FAQ is silent on the matter.

MFPA>> Finally, if the person at the other end is able to
>> decrypt my message and reply to me, then the key and
>> the email address are controlled by the same person.
>> What assurance does the verification service add?

> In the case of establishing communication with someone
> you haven’t yet met, it gives you an assurance that a
> third party has verified that they were in control of
> the address on a given date within the last year.

The person at the other end decrypting my message and replying to me
shows that the key and the corresponding email address are both
controlled by the same person today (Person A), verified by me.

Additional information: the verification service verified that the key
and the email address were both controlled by the same person (Person
B)on a given verification date within the last year.

I am opening communication with the Person A at that address today. I
neither know nor care if Person B, who was there within the last year,
is the same person as person A. So I cannot think of a use for the
additional information. (I'm not saying there is no use, merely that I
can't see one.)

> If I
> query your email address and find four keys, I don’t
> know what to do;

Good question.

1. You could ask me, in an email encrypted to all four keys.

2. You could ask me, in up to four individually-encrypted emails. May
not need all four if I answer before you sent them all.

3. Out-of-bound communication, such as phone.

4. Look for clues in my email signature block or headers.

> but if one of them is trusted by the
> email verification service, which I trust, then there’s
> only one valid key.

The email verification service's signature, which warrants that the
key and email address were under common control on a specific date in
the past year. That is a reasonable first guess out of the four keys,
and makes that one key "valid" in accordance with your bespoke Signet
simplified validity scheme.

- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at>

Don't anthropomorphize computers - they hate it


More information about the Gnupg-users mailing list