* Todd Zullinger <[EMAIL PROTECTED]> wrote: > What I don't see in any of the links is more information about sending > an email challenge before signing a key. (My apologies if I'm > overlooking it on your page or any of the others.)
Before I used a protocol to signing keys where I sent out random strings as challenge response but it's not worth. There is no enhanced security and only more work for "signer" and "signee". If you send the signed UIDs encrypted to each mail address separately it has the same effect in security because if the mail address bounces or the person behind the address doesn't have the private key your signed UIDs won't become publicly available. > It's been discussed here before but I've not found any scripts or good > details that I could point my fellow LUG members toward. Isn't it a > good thing to send some random data to each UID on the key someone > wishes you to sign and require that they send back that data signed by > the key to prove they control both the key and the email address in > the UID? There are some scripts around but don't use CA-Bot as Ingo suggested. As he has already said it has problems with so-called sign-only-keys and it sends out broken mails. caff, from the same author, handles these keys much better. It can be downloaded from the third link I mentioned. Besides it is already available in Debian and FreeBSD. Regards, Marcus -- "This elevator serves me alone. I have complete control over this entire level. With cameras as my eyes and nodes as my hands, I rule here, insect." (Shodan in System Shock) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users