gpgsm and expired certificates

MFPA expires2013 at
Mon Nov 4 15:02:30 CET 2013

Hash: SHA512


On Saturday 2 November 2013 at 6:48:39 PM, in
<mid:87fvreprlk.fsf at>, Uwe Brauer wrote:

> Your point being?

> I presume it goes like this: NSA is  "a government
> based organisation" doing, among other things,
> violations of civil rights.

> So any other government based organisation cannot be
> trust, end of argument.


> Well I just talked  about a service, which provides
> certificates to its citizen. That means it signs a
> public/private key pair, which is generated by the,
> hopefully open source, crypto module of your browser.

> So either you claim to have evidence that this modules
> have been hacked and the key pair is transferred to
> some of these evil organisations or I really don't see
> your point.

Simply stated, it is established that government based organisations
sometimes act in a nefarious manner, contrary to the law and contrary
to the interests of the population. I view that as a reason not to
trust government based organisations. And if I don't trust government
based organisations, I cannot trust a certification issued by one.

Of course, private companies or individuals who issue certifications
are susceptible to coercion. Whether issued by government or by
private sector, a single certification on a public key represents a
single point of failure. It does not provide any great level of
assurance the corresponding private key is controlled by the identity
it claims. Such assurance could potentially be derived from numerous
certifications that are independent from each other, but how do you
tell which are truly independent?

Where actual identity is not required, just continuity of
communication, I see no value in obtaining any certification at all.

- --
Best regards

MFPA                    mailto:expires2013 at

Can you imagine a world with no hypothetical situations?


More information about the Gnupg-users mailing list