On Wed, 29 Jan 2014 11:14:11 +0000 "nb.linux" <nb.li...@xandea.de> wrote:
> Gregor Zattler: > > Hi Steve, gnupg users, > > * Steve Jones <st...@secretvolcanobase.org> [24. Jan. 2014]: > > That's an interesting idea. But there is still the possibility > > of a man in the middle attac... The web of trust is supposed to > > counter MITM attacks by signing keys only if the verification was > > done directly (no middle person). > > maybe you already discussed that, but what about sending someone an > encrypted email (with the challenge) and wait for an encrypted reply > with the signed challenge? (as you seem to talk only about sending a > clear text challenge) Yes, the message being sent would have to be encrypted for the procedure to be valid, otherwise an attacker could read the mail and spoof a response (after having already spoofed your communication with the key server). > Personally, I don't want such behaviour. When I'm making a > certification, then it's me doing it manually as I have the > responsibility. I don't want some program to be able to make > automatized certifications with my key. Well, it could be semi-automatic. I'm only talking about persona certifications, which appear to be understood as verifying that the key and the email address are under the control of the same person. Having your mail client being able to determine that the key and the email address seem to match and offering you a one click (plus passphrase) option to verify that fact would be nice. -- Steve Jones <st...@secretvolcanobase.org> Key fingerprint: 3550 BFC8 D7BA 4286 0FBC 4272 2AC8 A680 7167 C896
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
