Kristian Fiskerstrand said: > >> > >> You wouldn't need the keyservers to be involved in this at all. > >> Anyone could set up such a mail verification CA outside of the > >> keyserver network.
How about storing keys in a more distributed manner, DNS, in addition to some other method of authentication, DNSSEC and DANE? Paul Wouters and others are working on it: Using DANE to Associate OpenPGP public keys with email addresses https://tools.ietf.org/html/draft-wouters-dane-openpgp-02 Paul recently gave a presentation about it at an ICANN meeting: Slides http://singapore52.icann.org/en/schedule/mon-tech/presentation-new-dnssec-technologies-09feb15-en.pdf Video, via Adobe Connect starts about 4:49:00 and goes to about 5:08:00: https://icann.adobeconnect.com/p2j5gtoni79/?launcher=false&fcsContent=true&pbMode=normal Audio: http://audio.icann.org/meetings/singapore2015/tech-09feb15-en.mp3 Slide 1 of the presentation shows, not including the title slide, how you can obtain Paul's key with dig and slide 2 shows the easier method using hash-slinger: openpgpkey --fetch email_address Slide 5 shows how to create the DNS record: openpgpkey --create email_address --output rfc Slide 9 Paul talks about openpgpkey-milter which is a postfix and sendmail plugin to auto-encrypt email. Note it is not recommended for production use yet. And to make mail servers less NSA friendly we should be setting up DANE and requiring starttls with forward secrecy anyway! It's on my TODO list! Chuck _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users