Proposal of OpenPGP Email Validation

Ingo Klöcker kloecker at kde.org
Tue Jul 28 16:56:08 CEST 2015


On Monday 27 July 2015 20:19:07 nico at enigmail.net wrote:
> Am 27.07.2015 um 16:31 schrieb Ingo Klöcker:
> > This whole concept of a whitelist of "trusted validation servers" included
> > in the email clients sounds a lot like the CA certificate bundles
> > included in browsers and/or OSes. Who is going to maintain this
> > whitelist? The email client developers? The OS manufactures? Who is going
> > to certify "trusted validation servers", i.e. who is going to tell benign
> > validation servers apart from malignant validation servers?
> 
> I agree that this is a key issue/problem of the approach.
> And indeed, I suggest to initially or by default give some trust
> to some signatures.
> 
> Note that I propose different things, though:
> 1) A standard format for such validations.
>    This simply would help to be able to deal with any
>    validation approach.
> 2) A way to establish such validations
>    by using a validating key server proxy.
> 3) A whitelist.
> 
> I am happy to only have 1) and 2) and to teach people
> to trust e.g. specific servers (and to mistrust others).
> 
> I only want to have a way to manage email validations
> (a common technique where everybody wonders why this
>  is not supported).
> This is the best I could come up with after discussing this
> with several people.
> And so far it would be a lot more than we have now.
> It it might fix a problem which otherwise is a show stopper.
> 
> If this is not appropriate, what do YOU propose instead
> for email validation?
> So many processes in this world are today based on email validation.
> Do you think that in general email validation is not the right approach
> or do you propose something different?

I'm not against your proposal per se. In fact, I'm probably one of the few 
people who actually think that the email validation done by PGP.com has some 
value. Consequently, I am also seeing the value in your proposal.

I'm just having reservations with regard to the whitelists. See my reply to 
Ludwig's reply.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150728/4761c71a/attachment.sig>


More information about the Gnupg-users mailing list