On Tue, 28 Jan 2014 20:13:30 +0100 Leo Gaspard <ekl...@gmail.com> wrote:
> On Fri, Jan 24, 2014 at 11:08:16PM +0000, Steve Jones wrote: > > [...] > > > > Finally there's the possibility of explicit verification, if someone > > sends me a challenge and I publish that challenge's signature on my > > blog then that verifies that I am in control of that private key and > > can publish to that blog. > > > > [...] > > Wouldn't it be better to publish unencrypted (and unsigned) a challenge > received > encrypted? As signing unknown data should be avoided, as noone knows whether > this data won't ever have a real meaning one does not intend to mean. The challenge would not need to be the sole content of the message that is signed, so long as it is contained in the signed content. A simple human readable message to the effect that the signature is for response to a challenge should suffice. A more sophisticated approach would be for OpenPGP to include a new signature type for this purpose. -- Steve Jones <st...@secretvolcanobase.org> Key fingerprint: 3550 BFC8 D7BA 4286 0FBC 4272 2AC8 A680 7167 C896
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
