AW: Re: laying groundwork for an eventual migration away from SHA1 with gpg

Robert J. Hansen rjh at
Thu May 21 16:59:21 CEST 2009

This subject is increasingly off-topic for -devel.  I've cc'd this
message to -users; let's see if we can't move the thread there.

Niels Dettenbach wrote:
> Hmmm, Keysigning parties makes sense if they strictly follow serious
> procedures and requirements - but can't give a 100% security (as the
> most other identity checks too). Even a Passport could be modified or
> cheated.

With a high-quality forged passport I can not only travel -- I can also
vote, run for (most) public offices, get utilities in my name, open bank
accounts, and so on.  Those secondary pieces of documentation won't be
forgeries, they'll be real -- and once I have them, I destroy my forged
passport and settle into my new assumed identity.

If the attacker is smart enough and savvy enough to get a high-quality
forged passport, there's no way they'll present it for inspection to
someone who's actively looking for a forged passport.  They'll present
their real (obtained illegally and containing incorrect information, but
quite real) identity documents instead.

Further, you won't find 100% security anywhere.  Pursuing it is an
ephemera.  You won't get there, and if you obsess over it your obsession
will ultimately hurt your security.

More information about the Gnupg-devel mailing list