On Thu, 2005-01-20 at 23:59 +0000, Luke-Jr wrote: > On Thursday 20 January 2005 11:25 pm, Jonathan wrote: > > On [Thu, 20.01.2005 14:11], Georgi Georgiev wrote: > > > So people are currently trusting the *name* of a person, but... What > > > happens if I show a proper ID but use fake e-mail addresses in my key? > > > Nobody told me how you verify e-mail addresses... > > > > You send an encrypted string to each email addresses. If you return the > > correct string, you pass the test. > > The entire problem that encrypting email solves is that where people can > access accounts other people have (via sniffing, cracking, or otherwise). > Your assumption (that only the person you are expecting can read the > account's > mail) completely defeats that purpose. If it was impossible for anyone except > you to read your mail, why would I ever care to encrypt something to you in > the first place?
Have you ever *used* encrypted mail, Linda? The mail is encrypted with someone's public key. They decrypt it with their private key. This means they must not only be able to access the mailbox, but also the GPG private key and the passphrase. That is what is considered sufficient means to prove ownership of the key. Matched with the ID that you matched to the fingerprint that was gotten before the meet, which the person at the meet has also brought a copy of, it gives about as good as you're going to get on validation without involving some DNA evidence or knowing the person first-hand. -- Chris Gianelloni Release Engineering - Operations/QA Manager Games - Developer Gentoo Linux
signature.asc
Description: This is a digitally signed message part
