Hi Daniel, thanks for the answer, but it seems to me with this procedure you only check whether the person has access to the email address, you don't check whether this access is illegal, don't you?
Tace care, Jan -------- Original-Nachricht -------- > Datum: Thu, 07 Apr 2011 19:49:50 -0400 > Von: Daniel Kahn Gillmor <d...@fifthhorseman.net> > An: takethe...@gmx.de > CC: GnuPG Users <gnupg-users@gnupg.org> > Betreff: How to verify the e-mail address when certifying OpenPGP User IDs > [was: Re: Signing a key (meaning)] > On 04/07/2011 07:33 PM, takethe...@gmx.de wrote: > > The reason I asked this quetion is that I wonder how I can check whether > the email address in the ID realy belongs to the keyowner. > > The standard way i've seen e-mail address verification done is with caff > ("certificate authority fire and forget") from the signing-party package > in debian. > > caff works like this: > > 0) during an in-person meeting, you verify the person's identity (often > by checking official ID) and get their claimed fingerprint. You note > this down in some way that you can unimpeachably retrieve it (e.g. on a > slip of paper, in your own handwriting, and that does not leave your > physical possession). > > 1) afterward, when you have some time, you take your piece of paper, > and for each fingerprint, run "caff $FINGERPRINT". caff presents you > with the person's name and claimed e-mail address. You verify the name, > and that the e-mail address seems at least plausible. > > 2) if you've said it seems ok, caff then makes an OpenPGP certification > on your behalf, creates an introductory e-mail message explaining what > this is, attaches the certification, encrypts the e-mail message to the > keyholder, and sends the e-mail. The certification stays in a special > caff-specific keyring (not your own everyday keyring). > > If the keyholder actually does control the e-mail address in question, > they'll receive the message, decrypt it, and then be able to add your > certification to their own key. Then, if they choose, they can upload > your certification to the public keyserver (so you and everyone else can > see it) or they can mail it back to you (if they only want to complete > the handshake for you in particular, but want to keep the association > otherwise temporarily private). > > Make sense? > > --dkg > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users