Email address challenge script for KMail

IngoKlöcker kloecker at kde.org
Mon Aug 25 14:24:20 CEST 2003 

On Monday 25 August 2003 12:12, Sebastian Stein wrote:
> Ingo Klöcker <kloecker at kde.org> [030825 12:02]:
> > The email address ingo.kloecker at gmx.de doesn't belong to me but to
> > another Ingo Klöcker (who even happens to live only about 20 km
> > from me). Unless you'd checked all my email addresses you'd all
> > blindly sign this user id if I had added it to my key.
> >
> > After a considerable number of people have signed this user id I
> > could cause a lot of confusion by sending email addresses with
> > From: ingo. kloecker at gmx.de and signed with my key to people who
> > know the other Ingo.
>
> I think this is not true. If you add an userid to your key (gpg
> --edit-key -> adduid) you have to enter your passphrase, because you
> are editing your key. So if you add the email address of the other
> guy to your public key, it is your fault.

Of course I'd have to add the other Ingo's email address on purpose so 
that I'd later be able to cause trouble for him.

> Please test the signature of my last mail. I've sent it over
> s5228 at informatik.htw-dresden.de, because I'm subscribed to this list 
> with that address. My gpg public key doesn't contain this uid, but you 
> are able to verify the signature, because of the ID in the signature 
> and not because of the email address I used.

Actually KMail should warn the user if the sender's address isn't 
contained in the key that was used to sign the message.

> In the end email address could never be something unique, because it 
> is very simple to fake an email address. The verification has always 
> to be done over the ID!

True. But it's already hard enough for people to grasp the basics of 
signing/encryption.

Anyway, as I said above the challenge is optional. If you don't want to 
check the email addresses for whatever reasons then don't do it.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: signature
Url : http://mail.kde.org/pipermail/novehrady/attachments/20030825/afd63624/attachment.bin

More information about the NoveHrady mailing list