On Sun, 2010-08-22 at 08:13 -0700, C.J. Adams-Collier KF7BMP wrote: > > If I'm not missing something substantially (and I don't think so) there > > is really nothing which you'd gain from this anyway. > > If I send you some encrypted challenge or vice versa, you have neither a > > proof that I'm actually "Christoph Anton Mitterer" but only that the > > owner of that key has access to that email address (which an attacker > > can have easily too, via MiM-attacks). > > Yes, it would be a weak indication, but it is more indication than > just that you own the associated email. Associated with what? With my key? With the keyserver?
> The only thing I intended to suggest with this link is that these are > the standards by which the state requires me to operate. As it was already pointed out here, this likely doesn't apply to a keyserver. A keyserver is not a certificate authority,... nor a registration authority. It's just a service holding any keys. These keys can be valid (in the sense of "good") or forged (e.g. I could upload a key with "Linus Torvalds"). > Please accept my sincere apology. I did not mean to offend. I have > never received a refusal to sign a message indicating ownership of a > private key and it raised a red flag. Well it's ok,... but you really should understand, that this is completely pointless, especially when one wants to make a connection between a key, and the owner/operator of a keyserver. What people (sometimes) do is: making such challenges, after (or in addition) to personal meetings, where they've exchanged fingerprints, and identity documents (like passport). Then it's used as a (very limited) proof, that someone has controll over an email-address. Cheers, Chris. _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel