can`t verify signature
Sat Jul 26 21:27:01 2003
Content-Type: text/plain; charset=us-ascii
On Sat, Jul 26, 2003 at 07:31:54PM +1000, Ben Finney wrote:
> On 26-Jul-2003, Gustavo Vasconcelos wrote:
> > So, if a company decides to act as a CA for their emplyes, what's
> > wrong with that?
> Nothing (if you accept the doctrine of CAs, which is a whole other
> The discussion of this particular key arose because the key has
> *different people* listed as UIDs on the key. A key should be bound to
> an individual, not multiple persons.
There is no requirement in OpenPGP that this is true. (Well, there is
no trust model in OpenPGP, but that's another story). In fact,
OpenPGP defines all sorts of details to make this sort of shared key
easier to use. Each different user gets their own preference lists,
their own name (of course), their own expiration date, etc.
There are disadvantages, of course, in that user A can read messages
intended for user B, and there is no in-protocol way to determine
which user actually signed a message, but that does not make this key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
-----END PGP SIGNATURE-----