On Friday 07 July 2006 16:56, Todd Zullinger wrote: > Ingo Klöcker wrote: > > I haven't used it myself because I'm using a self-written script > > for creating challenges with KMail. > > Could you elaborate a little on the procedure you use to generate the > challenges? I'd love to have some examples of how other folks do > things to present to my fellow LUG members.
My script does the following: For each key id that's given on the command line it first determines all UIDs which are neither revoked nor expired nor have already been signed by me. Then for each UID a random string is generated. I use the command head -c 18 /dev/urandom | mimencode for this. (mimencode is part of metamail.) This challenge and the key id and the UID are then inserted into a text explaining what the receiver of the challenge has to do. This text is then encrypted with the key corresponding to the key id. The encrypted text is then prepended with another text explaining what the encrypted text is about. Finally the resulting text is given to KMail together with the email address (==UID). Now I only have to click on the Send button in KMail to send the message. (I could make KMail automatically send the messages, but I prefer to have a last look at them before I send them in order to check that everything worked correctly.) I've attached the script. > >> Isn't it a good thing to send some random data to each UID on the > >> key someone wishes you to sign and require that they send back > >> that data signed by the key to prove they control both the key and > >> the email address in the UID? > > > > Where "control the email address" is different from "is the owner > > of the email address". Anybody between you and the owner of the > > email address can intercept the challenge, sign it and send it back > > to you. > > Of course, but they can't sign it with the key I've been asked to > sign and which I verified from the key fingerprint and other owner > details, unless they are the proper owner of that key. Yes, they can if it was them who asked you to sign their key. For example, I could create a key with my name and your email address, go to a key signing party and make everybody sign the fake user id. And if I can intercept your mail then I can even reply to challenges. Of course, such an "attack" probably doesn't make much sense because for what purpose should I want to make someone believe I have an email address I do in fact not own (but which I can intercept). Regards, Ingo
send-challenge-v1.1.pl
Description: Perl program
pgpDyeYJuFQ2o.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
