On Monday 16 September 2013 11:57:04 Doug Barton wrote: > The way that your signer did it is _a_ standard way to do it. CAFF is > a very popular program for that, and there is another here that is > also pretty good: http://www.phildev.net/pius/news.shtml > > I have another philosophy that works for me because I prefer not to > sign uids that are not valid. I send encrypted e-mail to each uid > with a pseudo-random string and ask the person to send me back the > string in a signed message. That allows me to determine if the person > has control of all 3 elements of the uid; the e-mail address, > private, and public keys.
CAFF (and apparently also PIUS) achieve same: A signed UID is sent encrypted to the UID's email address. The signature on the UID can only be retrieved by a person who controls the email address and the private key. What do you mean by having control of the public key? How does your workflow verify that the person has control of the public key? AFAICS the public key is not needed for anything in your workflow. > As a pleasant side effect it also gives me > a chance to judge their competence with PGP, which allows me to > assign a better trust value to folks I did not previously know. Granted, this is an advantage your workflow has over CAFF, but I'm not sure it's worth the additional work of verifying all replies and then selectively signing UIDs. I've been there and have done this, but CAFF is just a lot less of a hassle without losing much (if anything). Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
