Re: How to verify the e-mail address when certifying OpenPGP User IDs [was: Re: Signing a key (meaning)]

Thu, 07 Apr 2011 17:08:00 -0700 

Hi Daniel,

thanks for the answer, but it seems to me with this procedure you only
check    whether    the  person  has  access to the email address, you
don't check whether this access is illegal, don't you?

Tace care,
Jan

-------- Original-Nachricht --------
> Datum: Thu, 07 Apr 2011 19:49:50 -0400
> Von: Daniel Kahn Gillmor <d...@fifthhorseman.net>
> An: takethe...@gmx.de
> CC: GnuPG Users <gnupg-users@gnupg.org>
> Betreff: How to verify the e-mail address when certifying OpenPGP User IDs 
> [was: Re: Signing a key (meaning)]

> On 04/07/2011 07:33 PM, takethe...@gmx.de wrote:
> > The reason I asked this quetion is that I wonder how I can check whether
> the email address in the ID realy belongs to the keyowner. 
> 
> The standard way i've seen e-mail address verification done is with caff
> ("certificate authority fire and forget") from the signing-party package
> in debian.
> 
> caff works like this:
> 
>  0) during an in-person meeting, you verify the person's identity (often
> by checking official ID) and get their claimed fingerprint.  You note
> this down in some way that you can unimpeachably retrieve it (e.g. on a
> slip of paper, in your own handwriting, and that does not leave your
> physical possession).
> 
>  1) afterward, when you have some time, you take your piece of paper,
> and for each fingerprint, run "caff $FINGERPRINT".  caff presents you
> with the person's name and claimed e-mail address.  You verify the name,
> and that the e-mail address seems at least plausible.
> 
>  2) if you've said it seems ok, caff then makes an OpenPGP certification
> on your behalf, creates an introductory e-mail message explaining what
> this is, attaches the certification, encrypts the e-mail message to the
> keyholder, and sends the e-mail.  The certification stays in a special
> caff-specific keyring (not your own everyday keyring).
> 
> If the keyholder actually does control the e-mail address in question,
> they'll receive the message, decrypt it, and then be able to add your
> certification to their own key.  Then, if they choose, they can upload
> your certification to the public keyserver (so you and everyone else can
> see it) or they can mail it back to you (if they only want to complete
> the handshake for you in particular, but want to keep the association
> otherwise temporarily private).
> 
> Make sense?
> 
>       --dkg
> 

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to