On Friday, July 7, 2006, 11:19:47 AM, Marcus wrote: > * Todd Zullinger <[EMAIL PROTECTED]> wrote: > >> What I don't see in any of the links is more information about sending >> an email challenge before signing a key. (My apologies if I'm >> overlooking it on your page or any of the others.) > > Before I used a protocol to signing keys where I sent out random strings > as challenge response but it's not worth. There is no enhanced security > and only more work for "signer" and "signee". If you send the signed UIDs > encrypted to each mail address separately it has the same effect in > security
I don't think that's true: Decryption is (usually) handled by the encryption subkey and there's absolutely no guarantee that this subkey is controlled by the same person as the primary/signing key. There may even be valid reasons to split the two "roles". Since UIDs are attached to the primary key and the primary key is the only one that can modify UIDs (and signing a key is all about UIDs) this system can't prove what it's supposed to prove: The link between the UID (better: the e-mail-address in it) and the person in control of it. Regards, Mark Kirchner -- _____________________________________________________________ Key (0x172C073C): http://www.mark-kirchner.de/keys/key-mk.asc
pgpPS4gfqXjf1.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users