Recommendations for handling (multiple) user IDs - personal and company ones
mailinglisten at hauke-laging.de
Sat Jun 8 21:21:17 CEST 2013
Am Sa 08.06.2013, 13:03:06 schrieb Daniel Kahn Gillmor:
> fwiw, some people might not be comfortable certifying a User ID
> ("signing a key") with such a comment,
Crypto is NOT about comfort but about security. The point is: Does a
certification make sense? Most certifications I see do not.
They come without a certification level, without a policy URL, usually have no
(especially not a reliably signed) key policy and are usually not made by
offline main keys (or similar). In the end: more or less worthless. The WoT in
its current form is occupational therapy for people who refuse to do crypto
right (or rather: don't know what that means).
> since it is not actually a part of the user's identity.
Who cares? The question is: Does such a UID make the key better (with or
without the WoT)? And if the answer is "It does", who would dare argue against
that with the vague definition from the RfC?
A comment may be a statement about the function of the key owner in an
organization and thus is an important part of the identity. This is explicitly
intended by signature law! Such a comment should be certified by the
organization's certification key only. That it does not make sense that
everyone signs a comment does not make the comment useless or bad in any way.
> How is an OpenPGP certifier supposed to
> validate the correctness of this comment?
You have to read the comment statement and its certification right. It
obviously doesn't mean "I have checked that this is true" as everybody
immediately understands that it is not possible for the certifier to check
this. Instead it means: "I testify to it that the key owner makes this
statement about the certified key." And statements about keys are damn
important. You cannot do secure crypto without them.
You are right insofar as in a perfect world this information might better be
placed elsewhere (standardized, machine readable signature notations). But in
this world and this time not even policy URLs are shown by default. Thus for
maybe the next five years it is definitely a good idea to put the most
important information about a key into a UID.
Sorry but the example you use on that page is ridiculous. It doesn't prove
anything about UID comments except for the trivial fact that it is possible to
use them for ridiculous purposes. You really should not leave that online.
If someone makes a statement about the security of his key and decides to
change this statement for the same key (no matter in which direction) that
would be self-sabotage. Stupid behaviour but not nearly an argument against
statements about key security. And such statements are useless if they are not
certified. It would make sense that the certifier demands that statement on
paper with a manual signature.
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 572 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users