Hi, to deal with faked keys, some guys had the idea to use email verification and let then certification servers take that as "casual signing".
For example: - Some guy might create a key using a mail client - That key is then automatically sent by the email client to a server, which can be used as key server - The key server sends a confirmation request to the email address(es) of the registered key - If the confirmation recipient confirms that he/she registered the key, the key server certifies this key as casual checked. THAT IS, the key server would automatically certify the correctness of the association between the key and the email address as casual signing. The big advantage would be to have a simple way to validate keys. The big disadvantage beside some details (such as registering additional email addresses) is probably that PGP signatures usually sign the owner, not his/her email address, if I understood it correctly. Although regarding signature types, we state in RFC4880: > Please note that the vagueness of these meanings is not a flaw, > but a feature of the system. But we could mark this kind of automatically certifying key server as special so that people (are able to) know what they do when they trust this key server and therefore its casual signed keys. What do you think about this idea? Was it ever discussed? -- Nicolai M. Josuttis www.josuttis.de PGP Fingerprint: EA25 EF48 BF20 01E4 1FAB 0C1C DEF9 FC80 8A1C 44D0 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
