-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Wednesday 18 March 2015 at 6:18:57 PM, in <mid:[email protected]>, Jose Castillo wrote: > On Mar 16, 2015, at 8:55 PM, MFPA > <[email protected]> wrote: MFPA>> No angle brackets around the email address means no key found. JC> Good point, I’ll make that change. Appreciated. As you probably read in Daniel Kahn Gilmore's message, he has lodged a bug report/feature request for GnuPG. JC> As a sidenote, I > notice that when I’m generating a key interactively, I > get an error message of 'Name must be at least 5 > characters long’ when I try to make an email-only UID. > It works in batch mode, and obviously with the > allow-freeform-uid option, but just thought it was > interesting to point out. Someone attempting to make > such a UID in the interactive mode might be forgiven > for putting their email address in the ‘name’ field as > a workaround. They would be scolded at the next prompt, then probably either give up, or go back and enter a name, or enter their email address a second time. I would imagine the "average user" you are aiming at would use your GUI to create keys. A more advanced user might read your documentation, so you could tell them which options to use if they wanted to create a key matching your bespoke user-id standard through the normal GnuPG text interface. MFPA>> Thinking about it, you don't need the user to click a >> link or to reply to an email at all. > This is a very good point, and I can see making this > change. I would think it would make it easier to code: you don't have to bother tracking the verication link/email. > This was in reference to the PGP global directory’s > verification check. Having never used it I’m curious > why the validity period is only two weeks. Lots of activation or verification links sent out by email have a short validity period. People are used to that. PGP Global Directory's FAQ <https://keyserver.pgp.com/vkd/VKDHelpPGPCom.html> says:- What if I don't respond to the renewal message? The PGP Global Directory will give you two weeks to respond. If you don't respond, your key will be removed from the directory, as it is assumed you no longer have the key or are no longer using the email address in the user ID of the key. > Does the > user have to re-verify their email address every two > weeks? That seems excessive. It would be.(-; The user has two weeks to react to the verification email. Once the user has verified the email address, the verification is good for six months. Then they get a renewal verification email, and so on. I have no idea why the PGP GD verification signatures last only two weeks instead of six months. Their FAQ is silent on the matter. MFPA>> Finally, if the person at the other end is able to >> decrypt my message and reply to me, then the key and >> the email address are controlled by the same person. >> What assurance does the verification service add? > In the case of establishing communication with someone > you haven’t yet met, it gives you an assurance that a > third party has verified that they were in control of > the address on a given date within the last year. The person at the other end decrypting my message and replying to me shows that the key and the corresponding email address are both controlled by the same person today (Person A), verified by me. Additional information: the verification service verified that the key and the email address were both controlled by the same person (Person B)on a given verification date within the last year. I am opening communication with the Person A at that address today. I neither know nor care if Person B, who was there within the last year, is the same person as person A. So I cannot think of a use for the additional information. (I'm not saying there is no use, merely that I can't see one.) > If I > query your email address and find four keys, I don’t > know what to do; Good question. 1. You could ask me, in an email encrypted to all four keys. 2. You could ask me, in up to four individually-encrypted emails. May not need all four if I answer before you sent them all. 3. Out-of-bound communication, such as phone. 4. Look for clues in my email signature block or headers. > but if one of them is trusted by the > email verification service, which I trust, then there’s > only one valid key. The email verification service's signature, which warrants that the key and email address were under common control on a specific date in the past year. That is a reasonable first guess out of the four keys, and makes that one key "valid" in accordance with your bespoke Signet simplified validity scheme. - -- Best regards MFPA <mailto:[email protected]> Don't anthropomorphize computers - they hate it -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJVC3C0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw4hQH/i0uBpUEplgMThUDvV004+QE NrDDpLDZ8PU0aMxWGvLz7wR4s7ts+hNYXz05ORPtoqKLUvHjYs8lqurCGQLQhwWQ FjLQSuWOdiWDgfXgEXt8DPxFa8lR52sk1shVa7jZWdLW1BGwjE5K0mugdjr8OOqa klUTEYz+vomObD4iXFfCnLi9lY5ILuYjzWBwMJQAOeEeivuE1n50DdrUOW4h0AyC hRANXyhpD7zV5OfpWp4OHlGKSVoDEWB4c/cQ83xzNfDZZ3wMQG4F8d0JF4PYvu+B o7L7A2LdMJfMFSZPmFSg55DTk08jM47w8hFgXrHfrHW5QihyhvI4pyFHIhvxSpmI vgQBFgoAZgUCVQtwwF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45BgNAQDarKi3qVrSFBHlgIWnNzYwJZrO 2UxcBYOYMovsJeOdLQEA74Z6hhgRgOkUrxBPU29RLZJsVoaanPiLKUfgMDFJrwg= =+DyS -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
