Proposal of OpenPGP Email Validation

Ingo Klöcker kloecker at kde.org
Mon Jul 27 16:31:15 CEST 2015


On Monday 27 July 2015 07:55:03 nico at enigmail.net wrote:
> Hi all,
> 
> in March we discussed here
> "German ct magazine postulates death of pgp encryption"
> and Patrick Brunschwig proposed a way to validate email addresses
> 
> I also had in mind:
> > http://lists.gnupg.org/pipermail/gnupg-users/2015-March/052882.html
> 
> In the past months I tried to come up with a concrete proposal.
> I discussed it already with some people and
> this is what I/we propose so far.
> The proposal is not perfect and not completely worked out
> but IMO it is ready for a broader discussion and review.

This whole concept of a whitelist of "trusted validation servers" included in 
the email clients sounds a lot like the CA certificate bundles included in 
browsers and/or OSes. Who is going to maintain this whitelist? The email 
client developers? The OS manufactures? Who is going to certify "trusted 
validation servers", i.e. who is going to tell benign validation servers apart 
from malignant validation servers?

Your proposal seems to repeat a lot of the (failed) concepts of the 
centralized CA approach. For this reason I think the approach is doomed to 
fail the same way the centralized CA approach has failed (even if everybody 
seems to ignore its failure).

I'd rather put my bets on a DANE-based approach like 
https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150727/5a12d106/attachment.sig>


More information about the Gnupg-users mailing list