trust your corporation for keyowner identification?

Paul R. Ramer free10pro at gmail.com
Mon Nov 11 18:32:58 CET 2013


Stan Tobias <sttob at privatdemail.net> wrote:
>> > IIUC, your point is that verification would enable one to avoid
>collusion, as it
>> > is the only flaw I can see in this verification scheme.
>> > Except collusion can not be avoided in any way, AFAIK.
>>
>> No.  Avoiding collusion is impossible here.  It just comes down to
>you
>> vouching through your signature on the second key that you have
>> *verified* it.  Nothing more, nothing less.  If you didn't follow all
>of
>> the steps to verify it, why would you sign it with an exportable
>> signature?  
>
>You verify the key(s) by inspecting them and drawing conclusions.
>You have a mathematical proof in front of your eyes.  If "verification"
>is not gathering evidence (for building certainty, or strong belief),
>then what is it?

The issue I was talking about here was whether my insistence on following all of the necessary steps for verification in the scenario that we had been discussing was because I believed that such seeming pedanticism was a method to prevent collusion.  I just pointed out that no amount of verification of the key can prevent the key owner from sharing the key or messages encrypted to it with other people.  There is no need to believe that verification does not yield certainty in the ownership of the key.

Cheers,

--Paul
--
PGP: 3DB6D884



More information about the Gnupg-users mailing list