On Monday 27 July 2015 07:55:03 n...@enigmail.net wrote: > Hi all, > > in March we discussed here > "German ct magazine postulates death of pgp encryption" > and Patrick Brunschwig proposed a way to validate email addresses > > I also had in mind: > > http://lists.gnupg.org/pipermail/gnupg-users/2015-March/052882.html > > In the past months I tried to come up with a concrete proposal. > I discussed it already with some people and > this is what I/we propose so far. > The proposal is not perfect and not completely worked out > but IMO it is ready for a broader discussion and review.
This whole concept of a whitelist of "trusted validation servers" included in the email clients sounds a lot like the CA certificate bundles included in browsers and/or OSes. Who is going to maintain this whitelist? The email client developers? The OS manufactures? Who is going to certify "trusted validation servers", i.e. who is going to tell benign validation servers apart from malignant validation servers? Your proposal seems to repeat a lot of the (failed) concepts of the centralized CA approach. For this reason I think the approach is doomed to fail the same way the centralized CA approach has failed (even if everybody seems to ignore its failure). I'd rather put my bets on a DANE-based approach like https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/ Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
