-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Thursday 26 March 2015 at 9:26:35 PM, in <mid:5514798b.7020...@confidantmail.org>, Mike Ingle wrote: > Yes, the email address is just an identifier. The > address is used in two ways. One, it is hashed with > SHA1 and used to look up the user's key id. I'm in favour of hashing email addresses in key UIDs. > At present, there is no key verification built in and > you have to check the key fingerprint (which is always > shown to the right of the address) or check a signature > chain on your key using a GPG key manager. Or you can Trust On First Use, if it suits your threat model. MFPA>>The intro page on your website says "SMTP-compatible >>address format: keep your existing email address". >>Have you checked whether google (or any other email >>provider) might have something to say about using >>addresses at their email domain name on a completely >>unrelated service? > They very well might, if I was the one making such > claims. The claim is made by whoever created the key, > and it is just a claim. You are the one stating that the user can keep their existing SMTP email address to use on CM. Given that you do not have a process in place to verify the user's SMTP email address, I think that is a pretty bold statement. Any thoughts on the possible outcomes when a high-profile politician/celebrity/company with deep pockets finds they are unable to effectively use their SMTP email address on CM due to messages showing a key collision and the automatic lookup refusing to match because somebody got the address first? Maybe nothing, but worthy of consideration. > It's much like using a gmail > address as your username on a website - purely a > shortcut identifier. Not to be trusted. I have used websites and services where usernames are email addresses, but not without some form of challenge/response. (Click the link in the email, reply to the email, enter the code that was in the encrypted email, etc.) - -- Best regards MFPA <mailto:2014-667rhzu3dc-lists-gro...@riseup.net> Change is inevitable except from a vending machine -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJVFJUsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwrxIH/2/isrb8nBdkoLqIuLHG3e31 UjgPr/wnhjmEOK64FkJDLAUWTyhNdxwtw8p4/hqg95K0SeVF1TtlFgkji1mV0KQD FY/jRQgRoFVlPgtsMiDxiRqvOZIU40s46gNL+EFOHEufdc+zxoKnWZYGr6Un5ZVc ALIuhnY0GwIE8uGaoLmuXdg8Qzxe67rOf1VZ0HtY0zrjLfx52kzz5oSNaQRH+ppR A96w8gPiHCagtCCrTbgMypPioorQBvujSbuvGzBB18dCwlCZsJtOtaj4jT32m2dK E8ZSvJnHYanrD4XovfjigxjZu1DWvFxxfrlciJzO9RR3XHA3fQX9GiISGrzeNlOI vgQBFgoAZgUCVRSVMV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45DHPAQAmES/IE2TShtU5v6Rl8d2R4liZ HH5XughBd/uaU3ysiQEAtpNeHTqK9bMffkZ0kIrz/mAaZaOu1FRvuCmXdEfqgw0= =AFs/ -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users