The disadvantages of online KSP

Ben Branders ben.branders at skynet.be
Sat Dec 25 22:01:19 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Shaw - 25/12/04 21:33:
> Signing someone's key is you making a statement that you have checked
> that the key belongs to the person named in the user ID.  You really
> can't do that in a strong way without meeting physically.

Yes, of course. But even if you do meet them in real life, how can you
ever be sure? If, for example, someone uses a nickname for his e-mailadres
and his key, how can you check if he really 'owns' that nickname.

Suppose I know someone with the nickname X2. I also know that there is a
key signing party next week. I make a new e-mailaccount, x2 at mail.com. Then
I generate a key for that account, but instead of typing my name, I use
'X2' (which is of course the nickname of someone else).

I go to the KSP and someone wants to sign my key. Although he can check my
identity, he can't know if X2 is my real nickname or not...

How does OpenPGP take care of that? Or am I forgetting something in my
little story here?



Regards
- --
Ben Branders                       http://bytewarrior.madoka.be

 .---.               E-mail privacy is a right, not a privilege.
/    |\________________    Please sign and/or encrypt your mail.
| () | ________   _   _)
\    |/        | | | |      Gnu Privacy Guard: http://gnupg.org
 `---'         "-" |_|     Enigmail: http://enigmail.mozdev.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFBzdUcqLIDOkaTj9sRAti6AJ9gXcDy7ZuhdgXkkA77kc+63+usTQCdEajN
wCqOEGc1l42LeSkQeZHU6cY=
=SCKH
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list