-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Saturday 17 December 2011 at 4:58:28 PM, in <mid:4eecca34.9050...@jeromebaum.com>, Jerome Baum wrote: > On 2011-12-17 17:04, MFPA wrote: >> On Saturday 17 December 2011 at 3:25:56 PM, in >> <mid:4eecb484.6080...@jeromebaum.com>, Jerome Baum wrote: >>> I doubt the validity of those automated checks and >>> checks on the email anyway. What constitutes "owning" >>> f...@example.com? >> As far as that server's checking is concerned, being >> able to receive the email they send out to that >> address and respond to it or click a link. > Okay so we're assuming that "ownership" means being > able to read mail there. Given an attacker that cannot > read mail for f...@example.com, if that attacker uploads > a key with UID f...@example.com, what value does this > verification have? Unless somebody visits the link in the verification email, the key will not be added to the PGP Global Directory. > If I don't verify the key, and send > an encrypted email to f...@example.com, the attacker > presumably cannot read the message anyway. Nor can the person who controls f...@example.com but your email has just provided the service of alerting them of the existence of the attacker's key. > For signing, well I don't usually care that "some > person who was at a point or currently is able to > receive or intercept emails sent to f...@example.com > signed this message", I usually care that "John Smith > signed it". But let's assume I care whether something > really originated with a person that was or is able to > read email to f...@example.com, how is this more useful > than just emailing them to confirm? Convenience. *If* you trust the signature from the server that says they verified the email address for you, you don't need to do it yourself. > i.e. IMO emails on UIDs are bullshit. I would rather use hashes in UIDs, so that if you have my name or email address you can locate my key but inspecting my key does not give you my identity or contact details. > So are > certification policies that say (or don't say but > enforce anyway) that you must have an email on your > UID. Why refuse to certify _less_ information? Why indeed. My government won't issue a passport that doesn't include my date of birth. These days I can't even get a driving licence that doesn't show my date of birth. What does a date of birth have to do with my competence to drive between now and my licence's expiry date, or with my ability to travel across borders? - -- Best regards MFPA mailto:expires2...@ymail.com If you can't convince them, confuse them. -----BEGIN PGP SIGNATURE----- iQCVAwUBTu5sAaipC46tDG5pAQptawP+NWp3JRBG4zX2M1p+P1UyaaPV/7GQ8Zcg e3fEdS7jqb6AewEpvpvjwI1mEAS935B4I0RpgBHZHpTFYvVUFJfg0wL6QP+b/qHy 45I/aKBu37qnlBxSMqd98eq8s0lNhcmJpcowUcW1nF1qkTA8nF5303VF5P3jnwLJ nCJ4NR7tax0= =sEfb -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
