Email-only UIDs and verification (was: Making the case for smart cards for the average user)
Bob (Robert) Cavanaugh
robertc at broadcom.com
Fri Mar 20 18:43:27 CET 2015
Hi,
One thought to add to the mix: Phishng attacks by having unknowledgable users "click on this link" are pretty successful. Doesn't this proposal open a new threat vector?
Thanks,
Bob Cavanaugh
> -----Original Message-----
> From: Gnupg-users [mailto:gnupg-users-
> bounces+robertc=broadcom.com at gnupg.org] On Behalf Of MFPA
> Sent: Thursday, March 19, 2015 5:58 PM
> To: Jose Castillo on GnuPG-Users
> Subject: Re: Email-only UIDs and verification (was: Making the case for smart
> cards for the average user)
>
> * PGP Signed by an unknown key
>
>
>
> On Wednesday 18 March 2015 at 6:18:57 PM, in <mid:16C07A2D-8B6D-48E5-
> 9BC3-B6AE5D0935D9 at gmail.com>, Jose Castillo
> wrote:
>
>
> > On Mar 16, 2015, at 8:55 PM, MFPA
> > <2014-667rhzu3dc-lists-groups at riseup.net> wrote:
>
> MFPA>> No angle brackets around the email address means no key found.
>
> JC> Good point, I’ll make that change.
>
> Appreciated.
>
> As you probably read in Daniel Kahn Gilmore's message, he has lodged a bug
> report/feature request for GnuPG.
>
>
> JC> As a sidenote, I
> > notice that when I’m generating a key interactively, I get an error
> > message of 'Name must be at least 5 characters long’ when I try to
> > make an email-only UID.
> > It works in batch mode, and obviously with the allow-freeform-uid
> > option, but just thought it was interesting to point out. Someone
> > attempting to make such a UID in the interactive mode might be
> > forgiven for putting their email address in the ‘name’ field as a
> > workaround.
>
> They would be scolded at the next prompt, then probably either give up, or
> go back and enter a name, or enter their email address a second time.
>
> I would imagine the "average user" you are aiming at would use your GUI to
> create keys. A more advanced user might read your documentation, so you
> could tell them which options to use if they wanted to create a key matching
> your bespoke user-id standard through the normal GnuPG text interface.
>
>
>
>
> MFPA>> Thinking about it, you don't need the user to click a
> >> link or to reply to an email at all.
>
> > This is a very good point, and I can see making this change.
>
> I would think it would make it easier to code: you don't have to bother
> tracking the verication link/email.
>
>
>
> > This was in reference to the PGP global directory’s verification
> > check. Having never used it I’m curious why the validity period is
> > only two weeks.
>
> Lots of activation or verification links sent out by email have a short validity
> period. People are used to that.
>
> PGP Global Directory's FAQ
> <https://keyserver.pgp.com/vkd/VKDHelpPGPCom.html> says:-
>
> What if I don't respond to the renewal message?
>
> The PGP Global Directory will give you two weeks to respond. If
> you don't respond, your key will be removed from the directory, as
> it is assumed you no longer have the key or are no longer using
> the email address in the user ID of the key.
>
>
>
>
> > Does the
> > user have to re-verify their email address every two weeks? That seems
> > excessive.
>
> It would be.(-;
>
> The user has two weeks to react to the verification email. Once the user has
> verified the email address, the verification is good for six months. Then they
> get a renewal verification email, and so on.
>
> I have no idea why the PGP GD verification signatures last only two weeks
> instead of six months. Their FAQ is silent on the matter.
>
>
>
> MFPA>> Finally, if the person at the other end is able to
> >> decrypt my message and reply to me, then the key and the email
> >> address are controlled by the same person.
> >> What assurance does the verification service add?
>
> > In the case of establishing communication with someone you haven’t yet
> > met, it gives you an assurance that a third party has verified that
> > they were in control of the address on a given date within the last
> > year.
>
> The person at the other end decrypting my message and replying to me
> shows that the key and the corresponding email address are both controlled
> by the same person today (Person A), verified by me.
>
> Additional information: the verification service verified that the key and the
> email address were both controlled by the same person (Person B)on a given
> verification date within the last year.
>
> I am opening communication with the Person A at that address today. I
> neither know nor care if Person B, who was there within the last year, is the
> same person as person A. So I cannot think of a use for the additional
> information. (I'm not saying there is no use, merely that I can't see one.)
>
>
>
> > If I
> > query your email address and find four keys, I don’t know what to do;
>
> Good question.
>
> 1. You could ask me, in an email encrypted to all four keys.
>
> 2. You could ask me, in up to four individually-encrypted emails. May not
> need all four if I answer before you sent them all.
>
> 3. Out-of-bound communication, such as phone.
>
> 4. Look for clues in my email signature block or headers.
>
>
>
> > but if one of them is trusted by the
> > email verification service, which I trust, then there’s only one valid
> > key.
>
> The email verification service's signature, which warrants that the key and
> email address were under common control on a specific date in the past
> year. That is a reasonable first guess out of the four keys, and makes that
> one key "valid" in accordance with your bespoke Signet simplified validity
> scheme.
>
>
>
>
> --
> Best regards
>
> MFPA <mailto:2014-667rhzu3dc-lists-groups at riseup.net>
>
> Don't anthropomorphize computers - they hate it
>
> * Unknown Key
> * 0x1AF778E4(L)
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
More information about the Gnupg-users
mailing list