Re: Keysigning challenge policies/procedures
* Todd Zullinger [EMAIL PROTECTED] wrote: What I don't see in any of the links is more information about sending an email challenge before signing a key. (My apologies if I'm overlooking it on your page or any of the others.) Before I used a protocol to signing keys where I sent out random strings as challenge response but it's not worth. There is no enhanced security and only more work for signer and signee. If you send the signed UIDs encrypted to each mail address separately it has the same effect in security because if the mail address bounces or the person behind the address doesn't have the private key your signed UIDs won't become publicly available. It's been discussed here before but I've not found any scripts or good details that I could point my fellow LUG members toward. Isn't it a good thing to send some random data to each UID on the key someone wishes you to sign and require that they send back that data signed by the key to prove they control both the key and the email address in the UID? There are some scripts around but don't use CA-Bot as Ingo suggested. As he has already said it has problems with so-called sign-only-keys and it sends out broken mails. caff, from the same author, handles these keys much better. It can be downloaded from the third link I mentioned. Besides it is already available in Debian and FreeBSD. Regards, Marcus -- This elevator serves me alone. I have complete control over this entire level. With cameras as my eyes and nodes as my hands, I rule here, insect. (Shodan in System Shock) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
* Ingo Klöcker [EMAIL PROTECTED] wrote: On Friday 07 July 2006 17:09, Todd Zullinger wrote: Have you found in practice that you don't run into many sign-only keys that you are asked to certify? Among a few hundreds keys I've signed so far only a handful were sign-only or certification-only keys. I did simply sign them with a lower verification level. Me, too. I just give these sign-only keys a level of 2 as explained in my policy. I have been at several (large) keysigning parties and luckily there are not so many sign-only keys around. I don't like them very much but that's life ... Regards, Marcus -- Paranoia - das heißt doch nur, die Wirklichkeit realistischer zu sehen als andere. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
* Todd Zullinger [EMAIL PROTECTED] wrote: I was wondering if some folks here have detailed their challenge policies and procedures and if you'd mind sharing them if you have? Even handier would be some scripts to help in the automation of this task. ;) http://www.sc-delphin-eschweiler.de/pgp/ http://sion.quickie.net/keysigning.txt http://pgp-tools.alioth.debian.org/ Regards, Marcus -- Was ist für einen Mann das schönste in seinem Leben? - Eine weite Steppe, ein schnelles Pferd, der Falke auf seiner Faust und der Wind in seinem Haar. - Falsch! Conan, sag Du es mir! - Zu kämpfen mit dem Feind, ihn zu verfolgen und zu vernichten und sich zu erfreuen an dem Geschrei der Weiber. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key signing at the LinuxTag
* Werner Koch [EMAIL PROTECTED] wrote: On Fri, 28 Apr 2006 18:22:44 +0200, markus reichelt said: will you attend the key signing party too? Only if they don't require to register for that party and use a speedy protocol; i.e. requiring participants to hand out paper stripes with the fingerprint while at the same same time presenting some kind of ID card to the other next participant; then rotating to the next one. Okay, then I believe you will not attend the key signing party for they use another protocol and registration is required by this Sunday: http://www.linuxtag.org/2006/de/community/keysigning.html However, I would like to exchange fingerprints with you, Werner. I will be there on Friday. Can we set up place and time here so other people can join, too? Regards, Marcus -- Ich hab BIND Code gelesen. Und es war schrecklich. Ich hab tinydns Code gelesen. Und es war schrecklich. Man sollte Paul Vixie und DJB mal DNS erklaeren. Akademisch betrachtet ist tinydns minderwertig. Aber es funktioniert halt. Angeblich. Thomas Ogrisegg in [EMAIL PROTECTED] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users