0

Why do existing PGP key servers not perform e-mail verification? Wouldn't it help the problem of authenticating of public keys?

By e-mail verification/confirmation I mean a single e-mail sent to the public key e-mail address. The public key would only be published if the e-mail address owner confirms the key.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
lucasmrod
  • 3
  • 1

1 Answers1

0

Some do. keyserver.pgp.com does for example and it's a useful precaution. However, it would not be sensible to rely on this or you'd be able to publish public keys - and undertake a spoofing attack or man in the middle attack - if you were to compromise someone's email account only and then submit a fake key!

The best way to ensure ownership is checking the fingerprint by word of mouth or some other, trusted, channel.

David Scholefield
  • 1,834
  • 12
  • 21