The disadvantages of online KSP

Florian Weimer fw at
Sat Dec 25 22:10:37 CET 2004

* Ben Branders:

> Yes, of course. But even if you do meet them in real life, how can you
> ever be sure? If, for example, someone uses a nickname for his e-mailadres
> and his key, how can you check if he really 'owns' that nickname.

You don't sign such things.  It's a simple matter of policy.  You only
mark keys as trusted if you the key holder follows the same policy.

> How does OpenPGP take care of that? Or am I forgetting something in my
> little story here?

It doesn't.  OpenPGP only specifies a transport format, and hardly any
semantics.  Implementations enforce some semantics (and sometimes,
they disagree), others a matter of the policy the users choose to
follow.  This is both the strength and weakness of OpenPGP, compared
to X.509.

More information about the Gnupg-users mailing list