Hi everyone! > Am 27.02.2015 um 13:11 schrieb Kristian Fiskerstrand > <kristian.fiskerstr...@sumptuouscapital.com>: > > People need to understand that operational security is critical for > any security of a system and validate the key through secondary > channel (fingerprint, algorithm type, key length etc verifiable > directly or through probabilistic measures e.g. based on historical > postings on mailing lists over a long time for a project etc).
Perhaps new emerging services like https://keybase.io can help with better key verification if clients like Enigmail and GPGMail (and others) integrate it into their workflows. Keybase works in a way that one creates an account, uploads one’s public key, and adds verification through at least one other means. Those include access to an account on Twitter, Github, Reddit or HackerNews, or a proof of domain ownership either by a DNS TXT entry or a file on the web server that follows a certain format. That way, the owner of a key can stipulate that they are able to access these accounts as well and are probably not fake. Of course, the valid point remains that not only the tweet, gist or other postings that are proof of ownership should be checked, but also other activity on relevant accounts, similar to what Kristian suggested for looking up activity on e-mail addresses. If you’d like to see an example, my profile can be viewed here: https://keybase.io/marcozehe. Marco
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users