re. Moving from PGP to GnuPG and other questions ...

Josh Huber huber+gpg at alum.wpi.edu
Thu Apr 29 22:49:54 CEST 2004


Jeff Fisher <jeff+gnupg at jeffenstein.org> writes:

> [...]

> There is also the e-mail address in the user id field, which should
> be unique and relatively constant, but little or none of the
> information on signing keys mentions verifying that the e-mail
> address is actually this person.  Yes, it's possible that someone
> else will take that e-mail address, but if several e-mail addresses
> are listed on the key, you can be relatively sure that you can still
> reach the person.

Before I sign someone's key, I like to verify the email addresses
associated with each UID.  I do this with a small emacs "plugin" which
uses Gnus to generate and send encrypted challenge messages to each
uid, given a keyid.

It's here: http://www.paradoxical.net/~huber/gpg-party.el

For each uid, I generate a random challenge string.  I'll only sign
a uid if I get a matching challenge string back.

Maybe this is overkill, but I like it!

-- 
Josh Huber
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : /pipermail/attachments/20040429/867a5663/attachment.bin


More information about the Gnupg-users mailing list