Email address challenge script for KMail

IngoKlöcker kloecker at kde.org
Wed Sep 10 22:05:18 CEST 2003 

On Wednesday 10 September 2003 18:26, Andras Mantia wrote:
> On Wednesday 10 September 2003 16:04, Antonio Larrosa Jiménez wrote:
> > El Wednesday 10 September 2003 11:12, Matthias Kalle Dalheimer 
escribió:
> > > On Wednesday 10 September 2003 10.26, Andras Mantia wrote:
> > > The key itself will, but not that additional user ID, AFAIK. So
> > > people will consider your freemail.hu address still valid, but
> > > not your kde.org address.
> >
> > I don't have any experience at all with this (just started using
> > pgp for the signing party), but ... if he sends a signed mail from
> > his valid uid (the freemail.hu one) saying that his kde.org address
> > is also from him, wouldn't that be enough to make us recognize that
> > address as valid for him? so we could also sign his other uid,
> > isn't it?
>
> This was also my way of thinking. As I would like to use the @kde.org
> address for KDE related issues, hereby I say that the amantia at kde.org
> address belongs to me.

If your key would have been compromised then anyone could have added a 
new user id and then written and signed the above message. So this 
doesn't prove anything. But as long as your key (and this means at 
least one of the user ids) has been signed by us we trust your key. The 
worst that could happen if you sign messages sent with your @kde.org 
addresses would be that some email clients might warn us that the 
sender address isn't trusted (which KMail currently doesn't do). But 
that doesn't prevent encryption (except probably automatic encryption) 
nor does it render your signatures invalid. So it's not really 
necessary that anyone of us signs your @kde.org address until you can 
tell us in person that this address really belongs to you.

> This message is coming from the e-mail address 
> which was also on the printed paper at the keysigning party and it's
> signed using that key. My public key is also attached to this mail.

Anyone can enter any e-mail address in the From: header and anyone who 
has compromised your key could attach "your" public key (which isn't 
even signed because you didn't use the PGP/MIME plugin).

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: signature
Url : http://mail.kde.org/pipermail/novehrady/attachments/20030910/ef22d322/attachment.bin

More information about the NoveHrady mailing list