-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Wednesday 29 July 2015 at 6:42:34 AM, in <mid:55b867ca.9090...@enigmail.net>, n...@enigmail.net wrote: > Interesting. What comes into my mind is the following: > - This requires special email clients. How would this require a special email client? OpenPGP-aware email clients I have used have a simple way to save a key from a message to the keyring by clicking a button or selecting a menu option. And if the user's email client is not OpenPGP-aware, or they use webmail, there is always copy and paste. > The benefit of > the proposed workflow is that any existing client can > use it just by switching its keyserver to the > validating keyserver proxy. I only suggested simplification of the workflow for actually validating/signing the keys. The user can still just switch their keyserver of choice to the validating proxy. > How to > deal with existing keys? Well probably the same > (upload a key for the first time and uploading it > for updates would run the saem workflow), right? Yes. And for automatic re-validations, before my step 1 (key reaches validation server) the proxy server would consult its list of which keys it signed when and fetch them for revalidation. >> There is still the same level of assurance that the >> email address and private key are controlled by the >> same entity. Advantages are:- >> a. Nobody is asked to click links or reply to emails. > Hmm, isn't step 5 is kind of that? No. Step 5 is that the user receives an encrypted email to each relevant email address containing a copy of their key with the additional signature on just that UID, much as they might receive from other attendees at a keysigning. If they wish, the user saves the updated key to their keyring. And, again if they wish, the user uploads their updated key to a keyserver. > In any case some > confirmation email handling is required. For each UID, the copy of the key containing a validation signature over only that UID would be sent in an encrypted email to the email address in that UID. Receipt of the email containing the signed key confirms the ability to receive messages sent to that email address. And decryption of that email confirms access to the private key. What else do you need to confirm? >> c. Changes to the user's key are uploaded to the >> keyserver by the user, not by the validation >> server. > Is this a real benefit? It's the user's key. Denying them the choice by uploading your changes directly to keyservers is pretty arrogant. Maybe you could have the validating proxy upload the changes itself in the event the the key you are validating does not have the keyserver no-modify flag set? - -- Best regards MFPA <mailto:2014-667rhzu3dc-lists-gro...@riseup.net> Think for yourself. Otherwise you have to believe what other people tell you. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJVuMZGXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXweqgH/Aq5kO8qt0dJLy0J7W73I8k2 TXjCir9yvYvlqIliJpoYRbV5TC4N/k0xI6d+kx/J825V81xjpi6wgtLHXpF3tii4 rGdEniBgzJmoZvSNVVUhbzgy/Nd7RdMAL/ZF0PVfGsG0fg0MRSonikG1AUVxk9S8 JOXNfq5suDhx3hIA0W5qL0ecWSWRfbwFmUXcO9C59oTd90Do1Noz7LAAizzeNOgT ZeM7wuGlOicqqRGVKppxJ64LlRlkRc/WHkbZlubDw3iR4d3iqwAMam+/tI1vDvDg 9YHu7M91FHqPPIKFd8cCVbcFBdnBctucYVvC07KnCKOeqPBmCE+EnHoxwRm22reI vgQBFgoAZgUCVbjGcF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45J7bAP0dlJftV38bRaG70yc2g0ZMOUCv hMpVCeNAbfYKXoQmwwEA/TzLo6o28HFJ3pjaQ/ZGr8x0sR4RzBsMJ9JwUWw+4AE= =5N4q -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
