Eugene Smiley on Mon, 24 Feb 2003 18:01:08 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] PGP/GPG robotCA's


I thought everyone would be interested in these two sites/programs. They are
both
robotCA's, an email verification application to prove that the email on a
key
belongs to the owner of the key. This is based on an idea from Phil
Zimmerman in
2001. The first is written in Perl; the other in Python. Both have source
posted
if you see a need to run a copy for yourself.

http://www.toehold.com/robotca/
http://www.imperialviolet.org/keyverify.html

The first one is the simpler of the two. The explanation of how it works
is a bit short. The interesting bit that is missing is that when it sends
the signed key back to the email address, it encrypts it using the public
key. This forces the requestor to enter the passphrase to get to the
key with the robotCA signature to import into their keyring.

The second site takes more effort on the part of the person requesting a
signature, and the method used leaves some security openings, i.e. if
multiple people share an email address, there is no verification that the
person making the request has possesion of the passphrase/private key.

Thanks,
Eugene
--------------------------------------------------------------------
Creating solutions to any problem.
--------------------------------------------------------------------
I'm a SpamFighter, are you? Try SpamNet (http://www.cloudmark.com).
--------------------------------------------------------------------
PGP Fingerprint 5B8F E97F 9E56 077A 17A9  3B9A E903 ED02 A7ED FD2F
--------------------------------------------------------------------
[end]

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug