can`t verify signature

David Shaw
Sat Jul 26 21:27:01 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jul 26, 2003 at 07:31:54PM +1000, Ben Finney wrote:
> On 26-Jul-2003, Gustavo Vasconcelos wrote:
> > So, if a company decides to act as a CA for their emplyes, what's
> > wrong with that?
> Nothing (if you accept the doctrine of CAs, which is a whole other
> discussion).
> The discussion of this particular key arose because the key has
> *different people* listed as UIDs on the key.  A key should be bound to
> an individual, not multiple persons.

There is no requirement in OpenPGP that this is true.  (Well, there is
no trust model in OpenPGP, but that's another story).  In fact,
OpenPGP defines all sorts of details to make this sort of shared key
easier to use.  Each different user gets their own preference lists,
their own name (of course), their own expiration date, etc.

There are disadvantages, of course, in that user A can read messages
intended for user B, and there is no in-protocol way to determine
which user actually signed a message, but that does not make this key
type useless.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.3.3-cvs (GNU/Linux)
Comment: Key available at