Making the case for smart cards for the average user
MFPA
2014-667rhzu3dc-lists-groups at riseup.net
Tue Mar 17 01:55:51 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Saturday 14 March 2015 at 10:37:18 PM, in
<mid:CAAocvpvEqs-tQ-rEki8AX3spdSt8P5TG0+KoXVtufW0Azy9wDQ at mail.gmail.com>,
Joey Castillo wrote:
> The goal is to simplify
> not just everyday things like how to make a key or
> encrypt an email, but also more complex things like
> "what is my identity and how do I verify it?" [1]
> [1]:
> https://github.com/josecastillo/signet/blob/master/guidelines.md#certification-and-trust
Although I don't really like email addresses in the UIDs of my keys, I
quite like the simplicity of your "email address only" simplified UID
format. However, I would urge you to reconsider your decision to drop
the angle brackets. At least one MUA (the MUA I am using to write this
message) sends the email address enclosed in angle brackets as the
search string for GnuPG to locate the key. No angle brackets around
the email address means no key found.
Your proposed "automated email verification service" will beat the PGP
Global Directory's verification check by encrypting the verification
message to confirm that the user is in control of the key as well as
the email address. But it retains the problem of relatively frequent
verification signatures accumulating; I don't know a solution to that.
If a user has multiple email addresses, does the "automated email
verification service" send a different encrypted verification link to
each address, and then only sign the UIDs that the user verified? And
is there the option to reply to email rather than click a link?
Finally, if the person at the other end is able to decrypt my message
and reply to me, then the key and the email address are controlled by
the same person. What assurance does the verification service add?
- --
Best regards
MFPA <mailto:2014-667rhzu3dc-lists-groups at riseup.net>
Can you imagine a world with no hypothetical situations?
-----BEGIN PGP SIGNATURE-----
iQF8BAEBCgBmBQJVB3uZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw5+8IAJy5B9i2Jd4RY7gWFUQtyJ8t
GdUqHmGs8k3X/OwdOyvvD3GGZ7Wv/txZaHwaF8hA23axgGDnGOVfhucFe3BkQAFV
EHXJ/+cmmtt3Hp7uSKMoL8vFvv9ePJnQOZ1y4cMsP9jEpdZ1/dX8iV70MYVtd+Dk
uu0uqOt/MsQOg5Q45LmbCvhlL2ZDNoWqj4dmjdQ3t/LLWH2yI2yPQlk0KqJCB7LN
QUIww+p+81q4R1RWbP2o+wHFH8Ch4NL6oF3hCAO/mQmF117wxxOiyB+oULmjrNrD
Y0VYFbg9m23e/9EbtzBMvim6XRQhMbGwhWHy28yXuYX6vUQrmk5kHWmXdta1N5KI
vgQBFgoAZgUCVQd7oF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45PdmAQCjnWO9c1n74cf/2jU5OA9H+cgc
HGU6wx1jaNzZjr9+3gEAcE6FbOrBfJEz648Ps/j3x3otTG+PxJFxzBzOyyid4gs=
=GLMZ
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list