Hi, One thought to add to the mix: Phishng attacks by having unknowledgable users "click on this link" are pretty successful. Doesn't this proposal open a new threat vector?
Thanks, Bob Cavanaugh > -----Original Message----- > From: Gnupg-users [mailto:gnupg-users- > bounces+robertc=broadcom....@gnupg.org] On Behalf Of MFPA > Sent: Thursday, March 19, 2015 5:58 PM > To: Jose Castillo on GnuPG-Users > Subject: Re: Email-only UIDs and verification (was: Making the case for smart > cards for the average user) > > * PGP Signed by an unknown key > > > > On Wednesday 18 March 2015 at 6:18:57 PM, in <mid:16C07A2D-8B6D-48E5- > 9bc3-b6ae5d093...@gmail.com>, Jose Castillo > wrote: > > > > On Mar 16, 2015, at 8:55 PM, MFPA > > <2014-667rhzu3dc-lists-gro...@riseup.net> wrote: > > MFPA>> No angle brackets around the email address means no key found. > > JC> Good point, I’ll make that change. > > Appreciated. > > As you probably read in Daniel Kahn Gilmore's message, he has lodged a bug > report/feature request for GnuPG. > > > JC> As a sidenote, I > > notice that when I’m generating a key interactively, I get an error > > message of 'Name must be at least 5 characters long’ when I try to > > make an email-only UID. > > It works in batch mode, and obviously with the allow-freeform-uid > > option, but just thought it was interesting to point out. Someone > > attempting to make such a UID in the interactive mode might be > > forgiven for putting their email address in the ‘name’ field as a > > workaround. > > They would be scolded at the next prompt, then probably either give up, or > go back and enter a name, or enter their email address a second time. > > I would imagine the "average user" you are aiming at would use your GUI to > create keys. A more advanced user might read your documentation, so you > could tell them which options to use if they wanted to create a key matching > your bespoke user-id standard through the normal GnuPG text interface. > > > > > MFPA>> Thinking about it, you don't need the user to click a > >> link or to reply to an email at all. > > > This is a very good point, and I can see making this change. > > I would think it would make it easier to code: you don't have to bother > tracking the verication link/email. > > > > > This was in reference to the PGP global directory’s verification > > check. Having never used it I’m curious why the validity period is > > only two weeks. > > Lots of activation or verification links sent out by email have a short > validity > period. People are used to that. > > PGP Global Directory's FAQ > <https://keyserver.pgp.com/vkd/VKDHelpPGPCom.html> says:- > > What if I don't respond to the renewal message? > > The PGP Global Directory will give you two weeks to respond. If > you don't respond, your key will be removed from the directory, as > it is assumed you no longer have the key or are no longer using > the email address in the user ID of the key. > > > > > > Does the > > user have to re-verify their email address every two weeks? That seems > > excessive. > > It would be.(-; > > The user has two weeks to react to the verification email. Once the user has > verified the email address, the verification is good for six months. Then they > get a renewal verification email, and so on. > > I have no idea why the PGP GD verification signatures last only two weeks > instead of six months. Their FAQ is silent on the matter. > > > > MFPA>> Finally, if the person at the other end is able to > >> decrypt my message and reply to me, then the key and the email > >> address are controlled by the same person. > >> What assurance does the verification service add? > > > In the case of establishing communication with someone you haven’t yet > > met, it gives you an assurance that a third party has verified that > > they were in control of the address on a given date within the last > > year. > > The person at the other end decrypting my message and replying to me > shows that the key and the corresponding email address are both controlled > by the same person today (Person A), verified by me. > > Additional information: the verification service verified that the key and the > email address were both controlled by the same person (Person B)on a given > verification date within the last year. > > I am opening communication with the Person A at that address today. I > neither know nor care if Person B, who was there within the last year, is the > same person as person A. So I cannot think of a use for the additional > information. (I'm not saying there is no use, merely that I can't see one.) > > > > > If I > > query your email address and find four keys, I don’t know what to do; > > Good question. > > 1. You could ask me, in an email encrypted to all four keys. > > 2. You could ask me, in up to four individually-encrypted emails. May not > need all four if I answer before you sent them all. > > 3. Out-of-bound communication, such as phone. > > 4. Look for clues in my email signature block or headers. > > > > > but if one of them is trusted by the > > email verification service, which I trust, then there’s only one valid > > key. > > The email verification service's signature, which warrants that the key and > email address were under common control on a specific date in the past > year. That is a reasonable first guess out of the four keys, and makes that > one key "valid" in accordance with your bespoke Signet simplified validity > scheme. > > > > > -- > Best regards > > MFPA <mailto:2014-667rhzu3dc-lists-gro...@riseup.net> > > Don't anthropomorphize computers - they hate it > > * Unknown Key > * 0x1AF778E4(L) > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
