On Mon, Feb 07, 2005 at 05:21:05PM +1300, Mark Davies wrote:
So from the key signing party we should be in the position that for anyone we have verified we are happy that the pgp key we have the fingerprint for is indeed for the person we met but the one thing that the process hasn't done is confirm that all the email addresses listed in the key are under the control of that person.
How would further verification of the email address increase security or trust? By providing their key, and confirming it during the key-signing, the owner is implying the email addresses listed are valid. Non-repudiation doesn't seem to be threatened by an invalid email address. Is there any MUA that requires a PGP signed email originates from one of the user IDs listed in the public key? Nor is privacy is compromised if I send a message encrypted for Alice to Bob's email address. Worst case, it will never reach the intended recipient. I'm happy to confirm my email address via these means, although I don't see enough benefit for me to verify other addresses myself. I would say, as Ewen mentioned, that sending the signed key in an encrypted message is probably best. That way we avoid cluttering the key-servers with what may be useless keys. I shall do that next time. :) Sam.