Am Freitag, 7. Juli 2006 06:31 schrieb Todd Zullinger: > What I don't see in any of the links is more information about > sending an email challenge before signing a key. (My apologies if > I'm overlooking it on your page or any of the others.) > > It's been discussed here before but I've not found any scripts or > good details that I could point my fellow LUG members toward.
Try CA-Bot (http://cabot.alioth.debian.org/). I haven't used it myself because I'm using a self-written script for creating challenges with KMail. But I've been sent a few challenges generated by CA-Bot. Last time I received such a message, it said (at least IIRC) that CA-Bot couldn't handle signed and/or encrypted replies. So using CA-Bot you can only check whether the person you send the challenge to can decrypt the challenge, but you can't check whether he also controls the signing key. > Isn't > it a good thing to send some random data to each UID on the key > someone wishes you to sign and require that they send back that data > signed by the key to prove they control both the key and the email > address in the UID? Where "control the email address" is different from "is the owner of the email address". Anybody between you and the owner of the email address can intercept the challenge, sign it and send it back to you. This is especially a problem with email addresses which don't contain the name, but just some random alias, nickname or whatever. [EMAIL PROTECTED] could be anyone's email address. Regards, Ingo
pgpTNG1L4YMPx.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
