OpenPGPEmailSummit201512: EmailValidation

Follow-Up from [[OpenPGPEmailSummit201512/EmailValidation]

This is a summary and outcome of two session of the 3rd Open PGP Email Summit discussing how to deal with Ky/Email Validations.

Terminology

Categorizing Key and Validation Servers

Current examples:

pure Key Server both Key- and
Validating Server
pure Validating Server
doesn't add PGP signatures for signing SKS Mailvelope
Google
adds PGP signatures for signing GMX TNG

Better Table?:

Key Server only holds keys
validated by
Validating Server adds PGP signature
for validation
SKS yes
Google yes itself
GMX yes itself yes yes
Mailvelope yes GMX and ??? yes
TNG yes yes

Standard Validation Signatures

The discussion went around the topic that if servers validate and sign this validation, can we establish an improved (backward compatible) signature format. that especially signals the successful validation of an email address?

What do we want to signal with a validation signature (and what can we do already):

Currently with OpenPGP Goal How?
What was validated? the (person behind a) UID the email address in a UID new field for the exact email address
How was validated? only signature/certification levels ("0: no statement", "1: didn't validate", "2: casual validation", "3: extensive validation") open list of keywords signaling how was validated (e.g. "encemail-and-click" for "click on URL after getting an encrypted email") new field with predefined possible values
When did the validation happen? Currently there is only the timestamp of the signature and an optional expiry date. This can be a problem if the validation happened earlier than adding the signature (e.g. when signing later another key for the same email address). A clear statement when exactly the validation happened. An expiry date still makes sense to helkp to filter out expires signatures. recommendation to always set the expiry date to e.g. 1 year and a new field for the validation date
Who validated? defined by the signing key no change here (we still want that trusting a key that represents the validation gives trust to the validated keys)
Details of the validation policy Policy URL no change here (it makes sense to give the ability to add an URL that explains the validation (policy) in details
??? ??? signed certificate timestamp

Whiteboard 3rd OpenPGP Email Summit:

Feedback

Please send comments and feedback to Nico Josuttis, nico(at)enigmail.net (Fingerprint: CFEA 3B9F 9D8E B52D BD3F 7AF6 1C16 A70A F92D 28F5)

OpenPGPEmailSummit201607/EmailValidation (last edited 2016-07-21 11:13:56 by josuttis)