The disadvantages of online KSP

Ben Branders ben.branders at
Sat Dec 25 22:01:19 CET 2004

Hash: SHA1

David Shaw - 25/12/04 21:33:
> Signing someone's key is you making a statement that you have checked
> that the key belongs to the person named in the user ID.  You really
> can't do that in a strong way without meeting physically.

Yes, of course. But even if you do meet them in real life, how can you
ever be sure? If, for example, someone uses a nickname for his e-mailadres
and his key, how can you check if he really 'owns' that nickname.

Suppose I know someone with the nickname X2. I also know that there is a
key signing party next week. I make a new e-mailaccount, x2 at Then
I generate a key for that account, but instead of typing my name, I use
'X2' (which is of course the nickname of someone else).

I go to the KSP and someone wants to sign my key. Although he can check my
identity, he can't know if X2 is my real nickname or not...

How does OpenPGP take care of that? Or am I forgetting something in my
little story here?

- --
Ben Branders             

 .---.               E-mail privacy is a right, not a privilege.
/    |\________________    Please sign and/or encrypt your mail.
| () | ________   _   _)
\    |/        | | | |      Gnu Privacy Guard:
 `---'         "-" |_|     Enigmail:

Version: GnuPG v1.4.0 (MingW32)


More information about the Gnupg-users mailing list