trust your corporation for keyowner identification?
Stan Tobias
sttob at privatdemail.net
Mon Nov 11 00:28:11 CET 2013
"Paul R. Ramer" <free10pro at gmail.com> wrote:
> On 11/05/2013 09:26 AM, Leo Gaspard wrote:
> > However, I think in this case (assuming there are no more UID on key 2 than on
> > key 1), assertions are sufficient, *because* there are two assertions, one in
> > both ways.
> >
> > I mean :
> > * Owner of Key 1 says (s)he is owner of Key 2 (through signed message saying
> > you so)
> > * Owner of Key 2 says (s)he is owner of Key 1 (through signed UID on Key 2)
> >
> > So, except in case of collusion between owners of Keys 1 and 2, I believe there
> > is no way one can be wrong in signing Key 2 (of course, if Key 1 is signed).
>
> There could be collusion with only one key. Verification of the key
> details cannot address this.
>
> > IIUC, your point is that verification would enable one to avoid collusion, as it
> > is the only flaw I can see in this verification scheme.
> > Except collusion can not be avoided in any way, AFAIK.
>
> No. Avoiding collusion is impossible here. It just comes down to you
> vouching through your signature on the second key that you have
> *verified* it. Nothing more, nothing less. If you didn't follow all of
> the steps to verify it, why would you sign it with an exportable
> signature?
You verify the key(s) by inspecting them and drawing conclusions.
You have a mathematical proof in front of your eyes. If "verification"
is not gathering evidence (for building certainty, or strong belief),
then what is it?
Stan Tobias
More information about the Gnupg-users
mailing list