can`t verify signature

David Shaw dshaw@jabberwocky.com
Sat Jul 26 21:27:01 2003


--8GpibOaaTibBMecb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jul 26, 2003 at 07:31:54PM +1000, Ben Finney wrote:
> On 26-Jul-2003, Gustavo Vasconcelos wrote:
> > So, if a company decides to act as a CA for their emplyes, what's
> > wrong with that?
>=20
> Nothing (if you accept the doctrine of CAs, which is a whole other
> discussion).
>=20
> The discussion of this particular key arose because the key has
> *different people* listed as UIDs on the key.  A key should be bound to
> an individual, not multiple persons.

There is no requirement in OpenPGP that this is true.  (Well, there is
no trust model in OpenPGP, but that's another story).  In fact,
OpenPGP defines all sorts of details to make this sort of shared key
easier to use.  Each different user gets their own preference lists,
their own name (of course), their own expiration date, etc.

There are disadvantages, of course, in that user A can read messages
intended for user B, and there is no in-protocol way to determine
which user actually signed a message, but that does not make this key
type useless.

David

--8GpibOaaTibBMecb
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iHEEARECADEFAj8i0ecqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk
L2tleXMuYXNjAAoJEOJmXIdJ4cvJiwkAn2/F7aDEpBSqypsqF9u411I0oFq9AKCb
vUZ0usqB0Ypj88580Cn/hFdDNw==
=9qWr
-----END PGP SIGNATURE-----

--8GpibOaaTibBMecb--