trust your corporation for keyowner identification?

Stan Tobias sttob at privatdemail.net
Mon Nov 11 00:28:11 CET 2013


"Paul R. Ramer" <free10pro at gmail.com> wrote:
> On 11/05/2013 09:26 AM, Leo Gaspard wrote:
> > However, I think in this case (assuming there are no more UID on key 2 than on
> > key 1), assertions are sufficient, *because* there are two assertions, one in
> > both ways.
> > 
> > I mean :
> >  * Owner of Key 1 says (s)he is owner of Key 2 (through signed message saying
> >    you so)
> >  * Owner of Key 2 says (s)he is owner of Key 1 (through signed UID on Key 2)
> > 
> > So, except in case of collusion between owners of Keys 1 and 2, I believe there
> > is no way one can be wrong in signing Key 2 (of course, if Key 1 is signed).
>
> There could be collusion with only one key.  Verification of the key
> details cannot address this.
>
> > IIUC, your point is that verification would enable one to avoid collusion, as it
> > is the only flaw I can see in this verification scheme.
> > Except collusion can not be avoided in any way, AFAIK.
>
> No.  Avoiding collusion is impossible here.  It just comes down to you
> vouching through your signature on the second key that you have
> *verified* it.  Nothing more, nothing less.  If you didn't follow all of
> the steps to verify it, why would you sign it with an exportable
> signature?  

You verify the key(s) by inspecting them and drawing conclusions.
You have a mathematical proof in front of your eyes.  If "verification"
is not gathering evidence (for building certainty, or strong belief),
then what is it?

Stan Tobias



More information about the Gnupg-users mailing list