Email-only UIDs and verification (was: Making the case for smart cards for the average user)

Daniel Kahn Gillmor dkg at
Fri Mar 20 19:47:49 CET 2015

On Fri 2015-03-20 13:43:27 -0400, Bob (Robert) Cavanaugh wrote:
> One thought to add to the mix: Phishng attacks by having
> unknowledgable users "click on this link" are pretty
> successful. Doesn't this proposal open a new threat vector?

There are a lot of proposals in this thread, and you didn't trim the
quoted text to isolate just one of them; can you be specific about which
one you're talking about?

I think you're talking about the proposal to have a verification service
send regular e-mails asking users to follow up on them.

If the followup is just "click this link" then i agree it's probably
encouraging bad habits.  What if the suggested followup was an e-mail
reply?  What if we require the verifier to sign its outbound messages,
and tell users "don't do this unless the message is signed by the

I'm still not sure how useful this is in the big picture -- is such a
verifier only for first-contact, or is it supposed to be useful
longer-term as well?


More information about the Gnupg-users mailing list