Several questions as feedback on gnupg
Wed Jan 23 17:32:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 23 Jan 2002, Loic Bernable <firstname.lastname@example.org> wrote:
> - A friend of mine pointed out the problem that may occur with persons
> who have a common name and surname. Let's suppose your name is "John Doe
> email@example.com". Now, imagine there is another John Doe, that generates
> a GnuPG key with *your* email address. If someone meets the latest,
> they could check his ID or driving license or whatsoever, but finally
> there would be no way for him to know it is *not* the John Doe related
> to the "firstname.lastname@example.org" address, and worse, John "Charlie" Doe's key
> would be legitimately signed by the third person, not yours. Is that
> clear enough ? :o) This can still be a problem ... Maybe one day we
> will have a thumbprint analysis tool that would complete our public
> key recording ?
I think I see what your concern is, and I've thought about it a bit
myself. My name is probably one of the most common names in Sweden.
There's probably several dozens of people named Johan Andersson in the
small city I live.
No documents I've read on signing keys and the web of trust have
mentioned this. It's been on my find-out-more-list for some time.
Of course, the chance that my antagonist would be named JA as well, or
even find another JA to help, isn't that great. And I'd sureley
notice if people sent me mail encrypted to the wrong key. But then,
the damage could already be done.
Johan Andersson <email@example.com>, http://johan.nforced.com/
GnuPG public key id: 0x6415B9F7 (1024 bits)
Key fingerprint: CA6F 0720 B0D1 2FBA 74EB 348C 3110 6415 B9F7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----