On Fri, Jul 07, 2006 at 04:15:03PM -0400, Todd Zullinger wrote: > Ingo Klöcker wrote: > > On Friday 07 July 2006 17:09, Todd Zullinger wrote: > [...] > >> But that does mean that you can't get a signed key to someone if > >> the key you've signed doesn't have any encryption capabilities, > >> correct? > > > > That's obviously correct. In this case you could give the key owner > > a piece of paper with a random string and ask him to send it in a > > signed message to your email address. Then you know that he can use > > this key for signing messages. Obviously, you can't check the > > validity of the email addresses belonging to this key (unless he's > > got an encryption key you can use for checking the addresses). > > Is it really necessary to encrypt the challenge? If the key has > encryption capabilities, I would do so, but if it was a sign only key > and I could not do so, just what sort of attacks or weaknesses are > there in sending the challenge in the clear? I've seen David Shaw > point out that it didn't gain you much. I'm just trying to work > through the possible scenarios so I have them clear in my mind before > trying to present this to a larger group, who may well end up with > questions on this that I'd like to have better answers for than I do > now.
There is no harm (and no real benefit either) in sending the challenge NOT in the clear. Either way, you're proving the same thing: whether the email address goes anywhere and whether someone who has access to the email also has access to the key. David _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
