On Friday 07 July 2006 17:09, Todd Zullinger wrote: > Marcus Frings wrote: > > * Todd Zullinger <[EMAIL PROTECTED]> wrote: > >> What I don't see in any of the links is more information about > >> sending an email challenge before signing a key. (My apologies if > >> I'm overlooking it on your page or any of the others.) > > > > Before I used a protocol to signing keys where I sent out random > > strings as challenge response but it's not worth. There is no > > enhanced security and only more work for "signer" and "signee". If > > you send the signed UIDs encrypted to each mail address separately > > it has the same effect in security because if the mail address > > bounces or the person behind the address doesn't have the private > > key your signed UIDs won't become publicly available. > > But that does mean that you can't get a signed key to someone if the > key you've signed doesn't have any encryption capabilities, correct?
That's obviously correct. In this case you could give the key owner a piece of paper with a random string and ask him to send it in a signed message to your email address. Then you know that he can use this key for signing messages. Obviously, you can't check the validity of the email addresses belonging to this key (unless he's got an encryption key you can use for checking the addresses). But in case of a certification-only key even that won't work. > Unless, of course, you have told the signee that they must provide > you with a key which they wish to have the signed keys encrypted to. > > Have you found in practice that you don't run into many sign-only > keys that you are asked to certify? Among a few hundreds keys I've signed so far only a handful were sign-only or certification-only keys. I did simply sign them with a lower verification level. Regards, Ingo
pgpgallYqWFGA.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
